b'Office of Inspector General\nAudit Report\n\n\n\nInformation Technology\n\nEPA Management of\nInformation Technology Resources\nUnder The Clinger-Cohen Act\n\nReport No. 2002 - P - 00017\n\nSeptember 30, 2002\n\x0cInspector General Division\n Conducting the Audit:                     Information Technology Audits Division\n\nProgram Offices Involved:                  Office of Environmental Information\n                                           Office of the Chief Financial Officer\n                                           Office of Enforcement and Compliance Assurance\n                                           Office of Air and Radiation\n                                           Office of Solid Waste and Emergency Response\n                                           Office of Water\n\nAudit Team Members:                        Jim Rothwell, Project Manager\n                                           Jim Haller, Technical Support\n                                           Ernest Ragland, Auditor\n                                           Michael Young, Auditor\n                                           Robert Shields, Auditor\n                                           Robert Smith, Auditor\n\n\n\nAbbreviations\n\nCIO                 Chief Information Officer\nCPIC                Capital Planning and Investment Control\nCTO                 Chief Technology Officer\nDCIOT               Deputy CIO for Technology\nEPA                 U.S. Environmental Protection Agency\nGAO                 General Accounting Office\nICIS                Integrated Compliance Information System\nIRM                 Information Resources Management\nIIS                 Information Investment Subcommittee\nIT                  Information Technology\nI-TIPS              Information Technology Investment Portfolio System\nOEI                 Office of Environmental Information\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nRCRAInfo            Resource Conservation and Recovery Act Information Management System\nSDWIS/STATE         Safe Drinking Water Information System/State Version Modernization Effort\nSMP                 System Management Plan\nVPN                 Virtual Private Network\n\x0c\x0c\x0c                                                     EPA Management of Information Technology\n                                                         Resources Under The Clinger-Cohen Act\n\n                           Executive Summary\nIntroduction\n          In 1996, the U.S. Congress enacted the Clinger-Cohen Act (Act), initially known as the\n          Information Technology Management Reform Act, to improve the management of\n          federal agencies\xe2\x80\x99 information technology (IT) resources. The Act requires each agency\n          head to develop and implement a process for maximizing the value of and assessing and\n          managing the risks of IT acquisitions. This process is known as the IT Capital Planning\n          and Investment Control (CPIC) process. The CPIC process relates to an agency\xe2\x80\x99s\n          selection of information technology investments, the management of such investments,\n          and the on-going evaluation of funded investments. The Act requires the Chief\n          Information Officer (CIO) to establish an Enterprise Architecture and to use it as part of\n          the CPIC process. The Enterprise Architecture establishes the entity-wide road map to\n          achieve an agency\xe2\x80\x99s mission. An agency\xe2\x80\x99s capital planning and control process must\n          build from its current Enterprise Architecture, and support the transition from its current\n          to target architecture.\n\nObjectives\n          We audited to determine whether:\n\n           C EPA has established a CIO position with sufficient authority and administrative\n             controls to effectively manage IT resources Agency-wide.\n\n           C EPA\xe2\x80\x99s CIO has adequately:\n               T managed and controlled investments using a comprehensive IT CPIC\n                  process;\n               T developed and maintained an Enterprise Architecture;\n               T monitored IT investment projects and provided standard tools and practices\n                  for managing system development projects; and\n               T coordinated with the Chief Financial Officer to help provide sufficient\n                  direction and guidance to Agency management regarding cost effective\n                  acquisitions.\n\nResults in Brief\n          EPA\xe2\x80\x99s CIO has sufficient authority to shape and direct Information Resource\n          Management (IRM) activities. Nevertheless, past CIOs have not provided the\n          leadership needed to fully implement the changes required by the Act. Since\n          established in 1998, EPA\xe2\x80\x99s CIOs have taken some actions to implement and\n          institutionalize the Agency-wide authority and responsibilities for IT capital\n          investments. Yet many strategic planning and development activities only started in\n\n\n                                                 i\n                                                                              Report No. 2002-P-00017\n\x0c                                           EPA Management of Information Technology\n                                               Resources Under The Clinger-Cohen Act\n\nfiscal 2001. A first step in addressing EPA\xe2\x80\x99s planning needs was the CIO approval of\nan updated EPA Strategic Information Plan on July 29, 2002.\n\nEPA\xe2\x80\x99s new CIO recognizes the importance of the issues raised in this report and is\ntaking aggressive steps to address the Act\xe2\x80\x99s fundamental components. For example,\nin May 2002, the CIO established a Chief Technology Officer position to coordinate,\nimplement, and advise on the Strategic Technology Plan, Agency Architecture,\nE-government activities and IT investments. Also, in June 2002, the Deputy CIO for\nTechnology (DCIOT) was assigned responsibility for establishing and publishing\nstandards and procedures based on the Act. However, institutionalizing structured,\ncentralized controls and oversight processes will take additional effort and resources.\nSome program managers have not taken the Act seriously and have viewed its\nrequirements as another step to satisfy the annual OMB budget call.\n\nSeveral key factors continued to limit the realization of a successful program:\n\n\xe2\x80\xa2 Senior program managers continued to use outdated and unauthorized IT\n  acquisition practices, because Agency IT policies conflicted with the Act\xe2\x80\x99s\n  requirements and the CIO\xe2\x80\x99s authority.\n\n\xe2\x80\xa2 The Agency was still developing its Enterprise Architecture Plan, and had not\n  established a formal chain of command, either through policies or formal\n  delegation, from the CIO to the Chief Technology Officer, DCIOT, and Chief\n  Architect. In particular, formalization of the Chief Technology Officer and Chief\n  Architect positions will help ensure sufficient management authority and resources\n  to implement the Act. Also, position descriptions for all three roles should be\n  updated to address respective responsibilities for the development of an Enterprise\n  Architecture and execution of related IT activities.\n\n\xe2\x80\xa2 EPA had not implemented a CPIC performance-based measurement system for\n  assessing and managing risks of IT acquisition, and implementing, monitoring and\n  evaluating IT projects.\n\nEPA is in the process of implementing an IT cost accounting system to support such\nareas as IT budget reporting, project management, and system life cycle management.\nProject cost accounting is a critical management tool for EPA to achieve acceptable,\nefficient and effective accounting, budgeting, and procurement of IT investment\nprojects.\n\nWith regard to the fiscal 2002 budget, we believe the CIO had minimal assurance that\nIT investments reported to OMB would maximize their value. Moreover, the CIO had\nlittle assurance that these investments were adequately assessed for risk factors, that\nrisks were being managed, or that products were procured consistent with the Act\xe2\x80\x99s\nrequirements. EPA reported investments that totaled more than $449 million for the\n\n                                      ii\n                                                                    Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n        fiscal 2002 budget. Our review showed that EPA continued to spend millions on IT\n        investments that appeared to be making minimal or insignificant progress. During the\n        period under review, EPA\xe2\x80\x99s IT investments were not maximizing the efficiency of IT\n        operations nor resolving long-standing problems, such as integration of environmental\n        data. Existing IT contracts, with a maximum value totaling approximately $1.6 billion,\n        can be awarded new work without proper delegated authorization from the CIO.\n        Furthermore, EPA continued to award new IT contracts without required CIO\n        approval.\n\nRecommendations\n        Improving the fundamental issues addressed in this report will require a series of inter-\n        related corrective actions. To help EPA management plan for and channel its resources\n        in a methodical manner, we prioritized the recommendations listed in Chapters 2\n        through 6 of this report. The most prominent recommendations are summarized below.\n        The CIO will need to complete and implement these actions in order to improve the\n        way EPA\xe2\x80\x99s IT investments are assessed, managed, and evaluated.\n\n        \xe2\x80\xa2 Revise outdated policies to remove unauthorized IT business practices and add new\n          requirements.\n\n        \xe2\x80\xa2 Formally re-delegate authority and responsibilities for implementing the Clinger-\n          Cohen Act to the Chief Technology Officer and, in turn, further re-delegate to the\n          Chief Architect the management authority and responsibilities for maintaining an\n          Enterprise Architecture.\n\n        \xe2\x80\xa2 Establish and update policies for the Enterprise Architecture and execution of\n          related IT investment activities under the Act.\n\n        \xe2\x80\xa2 Implement an automated project management system.\n\n        \xe2\x80\xa2 Implement individual project monitoring and evaluation processes for IT\n          investments.\n\n        The CIO also will need to work with other Agency officials to establish delegations,\n        policies, and procedures for IT procurements.\n\nAgency Comments and OIG Evaluation\n        We received comments from EPA\xe2\x80\x99s CIO, Comptroller, Assistant Administrator for\n        Solid Waste and Emergency Response, and the Director, Information Transfer and\n        Program Integration Division of the Office of Air and Radiation. We amended the\n        report based on these responses, as well as additional discussions with appropriate\n        management officials.\n\n\n                                             iii\n                                                                           Report No. 2002-P-00017\n\x0c                                           EPA Management of Information Technology\n                                               Resources Under The Clinger-Cohen Act\n\nThe CIO agreed with our emphasis on the importance of an effective IT investment\nmanagement program and agreed to continue to aggressively address issues identified\nby the report. The CIO noted substantive accomplishments toward that goal, such as\nestablishing new policies, promulgating a new information strategic plan, hiring a Chief\nTechnology Officer, employing a risk-based process for IT investments, and\nestablishing a cost tracking system.\n\nWhile we agree that EPA has taken significant initial steps to address the report\xe2\x80\x99s\nfindings and recommendations, there are still significant recommendations that need to\nbe addressed, such as implementing an automated system to manage the CPIC\nprocess. Also, authorities and responsibilities for the Chief Technology Officer and\nChief Architect need to be incorporated into Agency policy, and resources need to be\ndedicated to complete and maintain EPA\xe2\x80\x99s Enterprise Architecture. The CIO has\nestablished an ambitious schedule to address this report\xe2\x80\x99s recommendations, and it will\nrequire EPA to continue dedicating significant resources.\n\nThe Comptroller responded that his office was working with an Office of Environmental\nInformation workgroup to ensure consistent treatment of IT costs with common system\nlife cycle stages. The Comptroller did not agree to amend existing IT contracts and\nstated that the interim policy announcement provided adequate controls. We still have\nconcerns about the adequacy of the new cost accounting process for categorizing\nproject costs by life cycle phases. However, we will defer making formal\nrecommendations until a more detailed assessment of the new process can be\ncompeted as part of the Fiscal 2002 financial statements audit.\n\nThe Assistant Administrator for Solid Waste and Emergency Response, and the\nDirector for the Office of Air and Radiation\xe2\x80\x99s Information Transfer and Program\nIntegration Division, both disagreed with our conclusion that project management\ncontrols were inadequate. We did not review all project management controls, but we\ndid document inaccurate and/or unsupported information being reported as part of the\nbudget for the IT system projects. We also found that the projects did not comply with\nexisting Agency systems development life cycle policy documentation requirements.\nWe consider these to be significant project management weaknesses.\n\n\n\n\n                                      iv\n                                                                    Report No. 2002-P-00017\n\x0c                                                                         EPA Management of Information Technology\n                                                                             Resources Under The Clinger-Cohen Act\n\n\n                                    Table of Contents\nExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\nChapters\n1      Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n2      CIO Needs to Fully Implement Clinger-Cohen Act Requirements . . . . . . . . . . . . . . 5\n\n3      Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk . . . . . . . . . . . 11\n\n4      EPA Needs to Organize and Integrate Planning for IT Investments . . . . . . . . . . . . 19\n\n5      EPA Needs to Strengthen IT Project Management Controls . . . . . . . . . . . . . . . . . 29\n\n6      Project Cost Accounting System Vital for\n        Planning and Managing IT Investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37\n\n\nAppendices\n1      Details on Scope and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41\n\n2      Office of Environmental Information\xe2\x80\x99s Response to Draft Report . . . . . . . . . . . . . . 45\n\n3      Office of the Chief Financial Officer\xe2\x80\x99s Response to Draft Report . . . . . . . . . . . . . . 67\n\n4      Office of Air Quality Planning and Standards\xe2\x80\x99\n        Response to Draft Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71\n\n5      Office of Solid Waste and Emergency Response\xe2\x80\x99s\n        Response to Draft Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73\n\n6      Report Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75\n\n\n\n\n                                                                     v\n                                                                                                            Report No. 2002-P-00017\n\x0c     EPA Management of Information Technology\n         Resources Under The Clinger-Cohen Act\n\n\n\n\nvi\n                          Report No. 2002-P-00017\n\x0c                                                     EPA Management of Information Technology\n                                                         Resources Under The Clinger-Cohen Act\n\n                                  Chapter 1\n                                   Introduction\n\nPurpose\n          The audit\xe2\x80\x99s objectives were to determine whether:\n\n           C       EPA had established a Chief Information Officer (CIO) position with sufficient\n                   authority and administrative controls to effectively manage Information\n                   Technology (IT) resources Agency-wide;\n\n           C       EPA\xe2\x80\x99s CIO had adequately:\n\n               T      Managed and controlled investments using an IT Capital Planning and\n                      Investment Control (CPIC) process, including a determination of whether\n                      investment decisions minimize the risk to the Agency, provide a positive\n                      return on investment, and satisfy the Clinger-Cohen Act requirements;\n\n               T     Adopted the Federal Enterprise Architecture Framework components\n                     necessary for developing and maintaining an Agency Enterprise Architecture,\n                     as prescribed by the Office of Management and Budget (OMB) and the\n                     Federal Chief Information Officers Council;\n\n               T     Monitored IT investment projects and provided standard tools and practices\n                     for managing system development projects; and\n\n               T     Coordinated with the Chief Financial Officer to help provide sufficient\n                     direction and guidance to Agency management to ensure IT investments\n                     were acquired in a cost-effective manner.\n\nBackground and Criteria\n          Act Established CIO Role and CPIC Process\n\n          The Clinger-Cohen Act of 1996 (Public Law 104-106) intended for a central process,\n          led by a CIO, to manage IT investments across an agency. Since 1996, EPA has\n          taken two significant actions to implement the Clinger-Cohen Act. In 1998, EPA\xe2\x80\x99s\n          Administrator established the CIO position through Delegation 1-84. The Delegation\n          assigned responsibility to exercise all responsibilities of the CIO pursuant to the Clinger-\n          Cohen Act, such as establishing an IT Architecture and an IT CPIC process. Then, in\n          1999, EPA reorganized its Agency IT management, and established an Office of\n          Environmental Information (OEI) and a Quality Information Council.\n\n                                                 1\n                                                                               Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\nThe Act requires the CIO to implement a CPIC process for maximizing the value and\nassessing and managing the risks of an agency\xe2\x80\x99s IT acquisitions. The CPIC process is\nto provide for the selection of investments using minimum criteria, both quantitative and\nqualitative, for comparing and prioritizing alternative information systems projects. In\naddition, the CPIC process must provide a means for senior managers to obtain timely\ninformation regarding progress (at established milestones).\n\nThe Act identifies numerous requirements and responsibilities for the agency head,\nCIO, and other key officials. Specific responsibilities for the CIO include:\n\n\xe2\x80\xa2 Developing and implementing a sound and integrated Enterprise Architecture;\n\n\xe2\x80\xa2 Monitoring and evaluating the performance of IT programs based on defined\n  measurements, and determining whether to continue, modify, or terminate a\n  program or project;\n\n\xe2\x80\xa2 Implementing and enforcing applicable government-wide and Agency IT\n  management policies, principles, standards, and guidelines;\n\n\xe2\x80\xa2 Acquiring and managing information resources in a manner consistent with Federal\n  laws and internal policies and procedures.\n\n\xe2\x80\xa2 Integrating Information Resources Management (IRM) operations and decisions\n  with organizational planning, budget, financial management, and program decisions;\n\n\xe2\x80\xa2 Developing a full and accurate accounting of IT expenditures, related expenses, and\n  results; and\n\n\xe2\x80\xa2 Establishing a process to select, control, and evaluate the results of major\n  information system initiatives.\n\nLaw and OMB Circulars Further Define Requirements\n\nUnder Title 44, U.S. Code, Section 3506, agencies are responsible for developing and\nmaintaining an IRM strategic plan, as well as a current and complete inventory of its\ninformation resources.\n\nOMB Circular A-130, Management of Federal Information Resources, requires the\nCIO to: (1) prepare and update a cost-benefit analysis for each information system, as\nnecessary throughout its life cycle; (2) conduct cost-benefit analyses to support ongoing\nmanagement oversight processes; (3) conduct post-implementation reviews of\ninformation systems to validate estimated benefits and document effective management\npractices; and (4) establish information system management oversight mechanisms.\nThis Circular also emphasizes that IRM planning should help the Agency link IT to\nmission needs. Furthermore, IRM planning should coordinate with other agency\n\n                                      2\n                                                                    Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\nplanning processes, including strategic, human, and financial resources. The agency\nshould employ mechanisms to ensure that major information systems proceed in a\ntimely fashion towards agreed-upon milestones, meet user requirements, and deliver\nintended benefits to the agency and the public.\n\nOMB Circular A-11, Preparing and Submitting Budget Estimates, lists\nrequirements for preparing and submitting IT budget estimates, including requirements\nto evaluate full life cycle costs, benefits, and Return on Investment.\n\nCIO Council Addresses Best Practices and Provides Guidance\n\nFederal CIO Council, Capital Planning and IT Investment Committee,\nImplementing Best Practices, dated June 1998: The 24 major Federal agencies\nparticipated in a Best Practices Workshop highlighting their approaches for selecting,\ncontrolling, and evaluating critical IT investments.\n\nA Practical Guide to Federal Enterprise Architecture, Version 1.0, February\n2001: This guide states that an Enterprise Architecture establishes the agency-wide\nroad map to achieve an agency\'s mission through optimal performance of its core\nbusiness processes within an efficient IT environment. The Chief Architect, in\nconjunction with the CIO and select Agency business managers, defines the\narchitectural principles that map to the organization\xe2\x80\x99s IT vision and strategic plans. As\nshown in Figure 1, architectural principles should represent fundamental requirements\nand practices believed to be good for the organization.\n\n\n\n\n                      Figure 1. Role of Architecture Principles\n\n\n\n\n                                      3\n                                                                    Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n        EPA Delegation for CIO\n\n        EPA Delegations Manual 1200, 1-84, Information Resources Management, dated\n        December 18, 2001, specifically requires the CIO to:\n\n        (1)     Approve the Agency\'s IRM Strategic Plan, Five-Year IRM Implementation\n                Plan, IRM investment portfolio, and IRM contracting strategy;\n        (2)     Establish policies and procedures for the management and security of records,\n                files, data, and information systems and technology;\n        (3)     Approve the acquisition of information technology resources; and\n        (4)     Establish and maintain a continuing program for the management and security of\n                records, files, data, and information systems and technology.\n\n        Authorities (3) and (4) above were re-delegated on June 13, 2002, to OEI\xe2\x80\x99s Director\n        for Technology Operations and Planning. These authorities may be re-delegated\n        further to Assistant Administrators, Regional Administrators, the Chief Financial Officer,\n        and other senior Agency officials. Moreover, these officials may further re-delegate\n        authorities within their respective organizations.\n\n        EPA Requirements for Software Development\n\n        EPA Directive 2100, IRM Policy Manual, establishes a policy framework for IRM\n        programs at EPA. In particular, Chapter 17, System Life Cycle Management,\n        identifies life cycle requirements for information systems projects. These requirements\n        include the System Management Plan, cost-benefit analysis, and a risk analysis at each\n        stage of the system development life cycle. Chapter 17 also prescribes that a system\n        charter be developed during project initiation, including an estimate of life cycle costs,\n        and identifying the appropriate management levels for approving decision papers. A\n        System Management Plan decision paper should be produced at the conclusion of the\n        analysis stage and should be updated as the project progresses.\n\nScope and Methodology\n        We conducted this audit at EPA Headquarters in Washington, DC, starting in January\n        2001 and issued a draft report in April 2002. Subsequent to the draft report, we\n        updated portions of the findings to reflect recent Agency accomplishments. We\n        performed our audit in accordance with the Government Auditing Standards, as\n        issued by the Comptroller General of the United States, and included such tests as\n        necessary to complete our objectives. Exhibit 1 details our scope and methodology, as\n        well as prior audit coverage.\n\n\n\n\n                                              4\n                                                                            Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n                                 Chapter 2\n              CIO Needs to Fully Implement\n             Clinger-Cohen Act Requirements\n\n         EPA\xe2\x80\x99s CIO needs to demonstrate strong leadership by providing IT technical expertise\n         and a workable investment management structure to ensure the Agency\xe2\x80\x99s many\n         program offices implement the IT capital investment process envisioned by the Clinger-\n         Cohen Act. While EPA has taken steps to implement Clinger-Cohen functions, many\n         aspects continue to evolve, with plans, policies, and guidance still in development. EPA\n         did not effectively manage its IT investments from an Agency-wide perspective;\n         however, it recently established a Chief Technology Officer to provide leadership and\n         implement a comprehensive IT investment program. For the period under review, we\n         found that program officials were still operating under invalidated IT acquisition policies\n         and procedures that allowed them to individually make investment decisions. EPA\n         appeared to be using a slowly evolving, volunteer-based, and decentralized approach\n         to developing, supporting, and managing IT capital investments. In addition, the lack of\n         a monitoring process allowed projects to be executed without a minimum level of\n         management controls. Finally, some program managers did not take the Act seriously\n         and viewed the Agency requirements as another step to satisfy the annual OMB budget\n         call.\n\nCIO Relies on IT Budget Instead of Investment Portfolio Process\n         The CIO used the Fiscal 2002 annual budget call to plan IT investments. The Act\n         intended that the CIO establish a performance-based system for implementing, monitoring\n         and evaluating IT projects. The Agency\xe2\x80\x99s IT investment process was primarily a budget\n         reporting process. It was used to meet OMB IT program annual reporting requirements\n         and to recommend an annual budget for major systems investment projects. Financial\n         management, procurement, and project management controls were not adequately\n         integrated into the Agency\xe2\x80\x99s CPIC process. Moreover, project management practices\n         were inconsistent throughout the Agency. Numerous examples demonstrated that the\n         peer review used objective, yet constantly evolving, criteria for evaluating investment risk.\n         While the peer review process adequately quantified and documented risk\n         determinations, we could not substantiate the basis for Information Investment\n         Subcommittee\xe2\x80\x99s (IIS) decisions to (1) lower the risk determinations assigned to some\n         investment proposals, and (2) make recommendations for funding them to the Quality\n         Information Council and CIO.\n\nInvestment Portfolio Structure Missing Fundamental Elements\n         In 1998, EPA established a CIO position. In 1999, EPA created the OEI and\n         reorganized its IRM structure. However, more than 5 years after implementation of the\n\n                                               5\n                                                                             Report No. 2002-P-00017\n\x0c                                         EPA Management of Information Technology\n                                             Resources Under The Clinger-Cohen Act\n\nAct, EPA still had not sufficiently implemented some fundamental elements of a\ncentralized investment portfolio structure (strategic IRM plan, CPIC process, Enterprise\nArchitecture, and cost accounting process). Specifically:\n\n\xe2\x80\xa2 Senior Agency program managers continued to use outdated and unauthorized IT\n  investment practices. Policies and procedures, such as EPA Directive 2100, need to\n  be revised to incorporate new CIO responsibilities relating to IT procurement,\n  systems development life cycle, project management, cost accounting, and budget.\n\n\xe2\x80\xa2 EPA\xe2\x80\x99s IRM Strategic Plan dated back to 1994, and did not reflect Clinger-Cohen\n  Act requirements. However, on July 29, 2002, the Agency updated the plan and\n  issued the EPA Strategic Information Plan: A Framework For The Future.\n\n\xe2\x80\xa2 Leadership and organization for developing the Enterprise Architecture changed\n  significantly over the past two fiscal years.\n\n   T Until the fall of 2001, the Agency budget submission included the architecture\n     project as a component of infrastructure proposals and, as such, was under that\n     leadership. In its fiscal 2003 budget submission, EPA identified it as a separate\n     architecture project and intensified efforts to complete the baseline and target\n     architectures.\n\n   T In February 2002, the CIO announced a Chief Architect position to manage the\n     development of an Enterprise Architecture. Then, in May 2002, the CIO\n     established a Chief Technology Officer position to coordinate, implement, and\n     advise on numerous IT investment management activities, including the Agency\xe2\x80\x99s\n     architecture. Also, through EPA\xe2\x80\x99s CPIC policy, the Deputy CIO for\n     Technology (DCIOT) was assigned responsibility for establishing and publishing\n     standards and procedures for the Agency Architecture, E-government activities,\n     and IT planning. These are positive actions, but the Agency has not yet\n     established a formal chain of command from the CIO to the Chief Technology\n     Officer, DCIOT, and Chief Architect. Formalization of the Chief Technology\n     Officer and Chief Architect positions would help ensure sufficient management\n     authority and resources to implement the Act.\n\n   T EPA believes it will be able to complete the Enterprise Architecture baseline,\n     target, and sequencing approach by October 2002. However, we have not\n     reviewed the recently-completed draft baseline, and have not evaluated whether\n     available resources will enable the Agency to achieve this milestone.\n\n\xe2\x80\xa2 Senior managers could not obtain timely and accurate cost, benefit, and performance\n  information on IT projects. In 2001, EPA purchased a service level agreement to\n  use off-the-shelf software called Information Technology Investment Portfolio\n  System (I-TIPS), a federally-sponsored software product, for monitoring and\n\n\n                                     6\n                                                                  Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n            evaluating IT projects in the CPIC process. EPA indicated it has assigned resources\n            for implementation, developed milestones for production, and will use the software to\n            generate automated reports to OMB for the 2004 budget submission. Furthermore,\n            management states that I-TIPS will be expanded agency-wide in 2003.\n\n         \xe2\x80\xa2 Actions are needed to strengthen IT project management controls. Program\n           managers used inconsistent management tools, and EPA had no standard project\n           cost accounting system for providing useful data to project managers. Managers\n           used outdated cost-benefit assessments or chose to omit the assessment as part of\n           the system development process. Moreover, the CIO had not established\n           monitoring or evaluation processes to ensure major information systems proceeded\n           in a timely and cost-effective fashion, met user requirements, and delivered intended\n           benefits to the Agency and affected public.\n\n         These issues are covered in greater detail in Chapters 3 through 6.\n\nEPA\xe2\x80\x99s Process Creates Unacceptable Risk for IT Investments\n         The absence of a fully-developed, centralized investment portfolio structure resulted in\n         management\xe2\x80\x99s:\n\n         \xe2\x80\xa2 inconsistent and undocumented evaluations - IIS approval of IT investment\n           proposal projects which were documented as high risk by a peer review process,\n\n         \xe2\x80\xa2 inability to effectively monitor IT system development or enhancement projects\xe2\x80\x99\n           schedules and costs,\n\n         \xe2\x80\xa2 omission of investment benefit evaluations for completed IT projects, and\n\n         \xe2\x80\xa2 inability to document and account for IT project investment costs.\n\n         The slowly evolving and decentralized approach that was being used to develop an IT\n         investment control structure was not successful. EPA\xe2\x80\x99s approach allowed IT projects to\n         be funded without proper justification, and in the absence of adequate management\n         controls. EPA invested resources on outdated systems that did not maximize the\n         efficiency or resolve long-standing problems, such as integration of environmental data.\n         For example, the Air Quality System spent over $8 million from fiscal 1996 through\n         2001 for the project\xe2\x80\x99s Phase 1. The fiscal 2001 budget submission for the project\n         included a statement of intent to make modifications in Phase 2 to adapt the system to\n         function with EPA\xe2\x80\x99s Central Data Exchange portal and incorporate Agency data\n         standards. However, these critical functional modifications were not addressed until\n         fiscal 2002, about 6 years into the project.\n\n\n\n\n                                               7\n                                                                            Report No. 2002-P-00017\n\x0c                                           EPA Management of Information Technology\n                                               Resources Under The Clinger-Cohen Act\n\nConflicts between the EPA Delegation 1-84 and prior procurement policies caused\nprogram and regional managers to award new IT contracts without proper CIO\napproval. Also, existing IT contracts, with a maximum value totaling approximately $1.6\nbillion, can be awarded new work without proper authorization. Under EPA Delegation\n1-84, the CIO is the only manager authorized to approve acquisitions of IT resources.\nIn June 2002, this authority was re-delegated to OEI\xe2\x80\x99s Director for Technology\nOperations and Planning. This authority can be re-delegated further. However, this\ndelegation conflicts with and invalidates prior EPA procurement policies and practices in\nEPA Directive 2100.\n\nOverall, there is a high risk that EPA\xe2\x80\x99s technology investments will not result in significant\nimprovements in organizational efficiency and productivity, or enable EPA to work\nbetter with states, tribes, local governments, private industry, and the general public.\nEPA planned to spend approximately $449 million for IT investments in fiscal 2002, so\npoor investment choices could have significant monetary ramifications. To avoid risk,\nEPA must ensure that its target enterprise architecture is fully integrated with its\nGovernment Performance and Results Act goals and objectives, IRM Strategic Planning,\nand IT acquisition processes. Until this integration is achieved, EPA will continue to\nstruggle with its ability to reinvent organizational processes, integrate and manage data,\nand build a scalable and reliable network architecture.\n\nIn its fiscal 2003 budget submission, EPA took the first step in consolidating duplicate\nsystems when it combined four modernization efforts into two investment proposals.\nEPA\xe2\x80\x99s process for evaluating investment proposals appears to consider data standards\nrequirements and system duplications; however, management must continue to\nstrengthen procedural controls to minimize effects of a weakly integrated process, such\nas:\n\n\xe2\x80\xa2 IT investments that are not driven by business priorities and mission goals,\n\n\xe2\x80\xa2 investing in stovepipe and duplicate systems,\n\n\xe2\x80\xa2 IT investments that do not take advantage of technology advances and reduced\n  costs,\n\n\xe2\x80\xa2 inefficient reporting processes for states and private industry users,\n\n\xe2\x80\xa2 application systems that do not comply with environmental data and interoperability\n  standards, and\n\n\xe2\x80\xa2 not meeting increased public access and security requirements.\n\nUntil EPA fully implements the Act\xe2\x80\x99s requirements, management will be unable to make\nfully-informed decisions regarding IT investments.\n\n\n                                       8\n                                                                      Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n\nStrong CIO Leadership Needed to Implement and Enforce Act\n        Although it has been more than 5 years since the Clinger-Cohen Act was implemented,\n        EPA has yet to comply fully with its statutory requirements. We believe this was due, in\n        part, to the fact that EPA did not have a presidentially-appointed and Senate-approved\n        CIO prior to December 2001. Although EPA reorganized its IRM office and\n        established a CIO position, there was little change in the Agency\xe2\x80\x99s IT operations or\n        investment practices until recently.\n\n        The lack of strong CIO leadership and a comprehensive investment portfolio structure\n        perpetuated the Agency\xe2\x80\x99s unsuccessful, decentralized IT investment process. The CIO\n        should target key agency-wide problems through the CPIC process (e.g., integration of\n        environmental data, electronic reporting, duplicate systems, Geospatial Information, data\n        standards, and data management). The new CIO\xe2\x80\x99s actions show that she agrees. For\n        example, EPA used the CPIC process findings to stop operating funds for the\n        Geographical Information Systems\xe2\x80\x99 investment.\n\nRecommendations\n        We recommend the Chief Information Officer:\n\n        2-1.    Assign sufficient resources and expertise to ensure timely and effective\n                implementation of report recommendations.\n\n        2-2.   Continue with strategy to develop and execute a comprehensive, prioritized,\n               multi-year plan to address gaps and bring EPA\xe2\x80\x99s IT policy collection to the\n               \xe2\x80\x9cshould be\xe2\x80\x9d state. In particular, the plan should include appropriate practices for\n               the Enterprise Architecture, CPIC process, and IT acquisitions addressed in the\n               Clinger-Cohen Act, OMB guidance, and EPA Delegation 1-84.\n\n        2-3.   Continue to work with the Director for Acquisition Management to (a) direct\n               contracting officers and other procurement personnel to only accept procurement\n               requests with a formal CIO approval or officially re-delegated procurement\n               authority; and (b) establish interim delegations, policies and procedures for IT\n               procurement, until formal re-delegations are revised and implemented.\n\nAgency Response\n        The CIO agreed overall with the emphasis placed on establishing an effective IT\n        resource investment program. However, the CIO identified specific findings and\n        recommendations that the CIO did not believe reflected recent Agency\n        accomplishments.\n\n\n\n                                              9\n                                                                           Report No. 2002-P-00017\n\x0c                                                    EPA Management of Information Technology\n                                                        Resources Under The Clinger-Cohen Act\n\nOIG Evaluation\n        We made changes to the report findings and recommendations based on the CIO\xe2\x80\x99s\n        response, acknowledging that accomplishments not previously noted were due to\n        (1) recently-completed actions, and (2) EPA\xe2\x80\x99s evolving IT investment process,\n        procedures, and selection criteria. While we updated the report\xe2\x80\x99s information based on\n        management\xe2\x80\x99s comments, we believe significant issues still need to be addressed to\n        institutionalize the Act\xe2\x80\x99s requirements. Establishing Agency policies and procedures is\n        only the first step. Monitoring and evaluating IT investments against a set of minimum,\n        critical criteria can ensure the institution is operating as desired for IT capital investments.\n        Furthermore, formalizing the Chief Technology Officer and Chief Architect authorities\n        and responsibilities should help ensure adequate resources are dedicated to the\n        completion and maintenance of the Enterprise Architecture. Then, monitoring and\n        evaluation of IT investments can provide a basis to recommend modifications to the\n        Agency\xe2\x80\x99s Enterprise Architecture. The CIO has established an ambitious schedule to\n        address this report\xe2\x80\x99s recommendations and, to succeed, EPA will need to continue\n        dedicating significant resources for planning, procuring, monitoring, and evaluating IT\n        investments.\n\n\n\n\n                                               10\n                                                                               Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\n\n                               Chapter 3\n              Weaknesses in CPIC Process\n           Place EPA\xe2\x80\x99s IT Investments at Risk\n\n        The Agency\xe2\x80\x99s CPIC process was inadequate to properly manage EPA\xe2\x80\x99s IT investments.\n        Most of EPA\xe2\x80\x99s major fiscal 2002 IT investment proposal projects are high risk and\n        operating with little oversight. Moreover, projects are not evaluated upon completion.\n        In total, the fiscal 2002 budget submission indicated EPA was planning to spend $449.4\n        million for IT investments, including $203.2 million for major projects. EPA\xe2\x80\x99s fiscal\n        2002 CPIC investment portfolio process was primarily a peer review risk assessment\n        process that: used constantly evolving Agency-wide priorities for selection, provided\n        little oversight of individual projects\xe2\x80\x99 execution during the Control phase, and did not\n        evaluate the adequacy of completed projects in an Evaluation phase. EPA\xe2\x80\x99s fiscal 2003\n        CPIC process was basically the same. As a result, as discussed in Chapter 2, the\n        Agency may have invested resources on outdated systems that did not maximize the\n        efficiency or resolve long-standing problems, such as integration of environmental data.\nNumerous Documents Provide Federal Guidance\n        OMB provides the primary Federal guidance in Circular A-130, Management of\n        Federal Information Resources; Circular A-11, Preparing and Submitting Budget\n        Estimates; and Circular\n        A-94, Guidelines and\n        Discount Rates for Cost-\n        Benefit Analysis of\n        Federal Programs. The\n        CIO Council and General\n        Accounting Office (GAO)\n        have both published\n        additional Federal\n        guidance that describes\n        the process. GAO\n        provides an illustration of\n        this process (see figure 2)\n        in Information\n        Technology Investment\n        Management: An\n        Overview of GAO\xe2\x80\x99s\n        Assessment Framework\n        (Exposure Draft),           Figure 2. IT Capital Planning and Investment Control\n        GAO/AIMD-00-155,                                    Process\n        May 2000.\n\n\n                                            11\n                                                                         Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\nExisting CPIC Process Inadequate to Manage\nEPA\xe2\x80\x99s IT Investments\n        EPA\xe2\x80\x99s IT CPIC process did not adequately select, control, and evaluate the appropriate\n        mix of IT capital investments using objective, risk-based criteria consistent with the\n        Agency\xe2\x80\x99s Enterprise Architecture and IRM Strategic Plan. Under the current process,\n        EPA\xe2\x80\x99s Chief Financial Officer prepares three exhibits (52, 53, and 300b), at varying\n        times of the fiscal year, for EPA\xe2\x80\x99s annual IT Budget submission. OEI\xe2\x80\x99s Information\n        Investment Subcommittee (IIS) considers the results of an annual risk assessment review\n        of the major investment proposals listed in Exhibit 300b and, during the Select phase,\n        makes funding recommendations to the Quality Information Council and CIO.\n        However, EPA\xe2\x80\x99s CPIC process provides little oversight of individual projects\xe2\x80\x99 execution\n        during the Control phase and does not evaluate the adequacy of completed projects in\n        an Evaluation phase, as recommended in Figure 2. The peer review risk assessment\n        was the most substantive and documented process that EPA used to objectively manage\n        annual IT investments. However, at the IIS review level, we found a decision process\n        that lacked adequate evidence to (1) substantiate subjective executive decisions that\n        differed from peer review recommendations, and (2) describe how discrepancies\n        identified by the peer review were resolved.\n\n        As such, Agency management planning and budgeting recommendations for fiscal 2002\n        appeared to be based on IIS opinion, rather than the objective peer review risk\n        evaluations. While the peer review process objectively quantified and documented risk\n        determinations, we could not adequately substantiate the basis for the IIS votes which\n        lowered the risk assigned to investment proposals by the peer review process.\n        Nevertheless, the IIS recommended funding the proposals to the Quality Information\n        Council and CIO. The same basic CPIC process was used for EPA\xe2\x80\x99s fiscal 2003 IT\n        Budget submission, although specific criteria for the peer review process changed. Our\n        review of the three specific phases disclosed the following:\n\n        Select Phase\n\n        Recommendations Not Supportable or Justified. Many IIS recommendations were\n        not supportable based on objective criteria. We evaluated information from EPA\xe2\x80\x99s\n        Exhibit 300b IT budget submission, the major IT project document; OMB\xe2\x80\x99s risk\n        analyses of that submission; and EPA\xe2\x80\x99s internal CPIC Peer Review risk assessment.\n        From those sources, we summarized the investment proposal responses, focusing on\n        4 key risk factors for the 48 major IT proposals listed in EPA\xe2\x80\x99s fiscal 2002 budget\n        submission to OMB. We compared the 48 investment proposals to the results of EPA\xe2\x80\x99s\n        CPIC Peer Review risk assessment, OMB\xe2\x80\x99s risk assessment report card, and our\n        assessment for the 4 key control areas. OMB clarified that they considered projects to\n        be high risk if they did not demonstrate compliance with key requirements, or the\n        information provided was not sufficient to determine the risks. OMB\xe2\x80\x99s risk assessment\n        report card reflected that, overall, 89 percent of EPA\xe2\x80\x99s major projects were high risk,\n\n                                            12\n                                                                         Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n     while EPA\xe2\x80\x99s Peer Review assessed that only 8 percent were high risk. Our assessment\n     concluded that all 48 proposals were high risk, based primarily on the fact that the\n     Agency had not provided an Enterprise Architecture for IT managers to use in preparing\n     IT investment proposals. In spite of not having an Enterprise Architecture, all the\n     proposals nonetheless indicated they were aligned with an Architecture. Details on our\n     comparison are in the following table.\n\n\n\n                                    EPA Major Investment Proposals\n                                       Key Project Risk Factors\n                                             (Fiscal 2002)\n\n                                                        OMB              OIG         Peer Risk\n                                                                  1\n                 Key Risk Factors                    Assessment       Assessment     Assessment\n\n      Percentage of IT projects not aligned              100 %           100 %             N/A\n      with Enterprise Architecture\n\n      Percentage of IT projects not including              4%             33 %           56 %\n      adequate security planning or when not\n      clear\n\n      Percentage of IT projects not including            100 %            56 %           40 %\n      a completed current cost-benefit\n      analysis or when not clear\n\n      Percentage of IT projects not having                 N/A            48 %           42 %\n      approved system management plan or\n      when not clear\n\n      Percentage of High-Risk                             89 %           100 %             8%\n      IT Investment Proposals\n\n\n     The IIS reviewed the internal risk assessments and agreed with the conclusions that\n     some of these projects were high risk. Nevertheless, the IIS recommended to the\n     Quality Information Council and the CIO that all 48 projects be recommended for\n     funding in the fiscal 2002 budget submission. OEI told us that these projects were\n     recommended for funding only after substantial corrective actions were taken to make\n     the business case, and a fourth review of the project proposal was conducted.\n\n\n\n\n1\n   We calculated percentages based on raw data (# of projects) and footnote information\nassociated with the \xe2\x80\x9cmajor\xe2\x80\x9d projects (Steady State, Mixed and Development/Modernization/\nEnhancement), as taken from documents provided to EPA by OMB regarding the Agency\xe2\x80\x99s\nfiscal 2002 IT budget submission (dated July 26, 2001).\n\n                                              13\n                                                                         Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\nSignificantly Deficient Projects Recommended for Funding. In spite of the risk\nassessment process, all the projects with significant weaknesses were recommended for\nfunding in the fiscal 2002 and 2003 IT budget submissions. For example, major projects\nwere found to have significant weaknesses by the peer review process. The IIS\ndowngraded these projects from \xe2\x80\x9cred light\xe2\x80\x9d to \xe2\x80\x9cyellow light\xe2\x80\x9d in fiscal 2002, but we found\nno evidence of how the significant deficiencies were resolved. In fiscal 2003, the peer\nreview process once again stated these projects contained significant weaknesses. Once\nagain, the IIS recommended them for funding. The documentation provided did not\ncontain clear, objective evidence from which we could conclude whether the cited\ndeficiencies had evolved during the 2-year span or simply remained unchanged. Our\nanalysis was confined by the fact that the risk assessments used different documentation\nand evaluation requirements each year. The CPIC process should rely on one minimum\nset of consistent objective criteria applied throughout all levels of the selection review\nhierarchy.\n\nInconsistencies Noted. The narrative for the CPIC IT budget submissions were\nunclear about the Enterprise Architecture and conflicted with the Agency\xe2\x80\x99s fiscal 2002\nAnnual Performance Plan goals. For example, EPA\xe2\x80\x99s key architectural project, the\nInformation Integration Program, refers to the Integrated Compliance Information System\n(ICIS). The Enterprise Architect document states that ICIS is \xe2\x80\x9cbeing designed to\ninterface with only a few . . . legacy systems, but the technology is scalable . . . .\xe2\x80\x9d\nHowever, the fiscal 2002 Annual Performance Goals discusses ICIS in terms of 14\nexisting systems. From these conflicting perspectives, it was not clear how the existing\nlegacy systems were to be integrated with the Enterprise Architecture strategic\nframework.\n\nControl Phase\n\nEPA was not monitoring the execution of IT capital investment projects during the year,\nthereby preventing the CIO from adequately managing ongoing IT investment projects.\nIn fiscal 2002, OMB established baselines to measure progress and performance for\nprojects\xe2\x80\x99 scheduled milestones and costs estimates. OMB required that agencies explain\nschedule slippages and increased costs greater than 10 percent. EPA reports this\ninformation in annual Exhibit 300b reports. However, common industry practice is to\nuse a 4 week time frame for monitoring and measuring variances from the project plan.\nIn our opinion, the Agency should monitor the execution of its projects through periodic\nreports (at least quarterly) that managers can use to identify emerging cost or schedule\nproblems and initiate compensating actions.\n\nEvaluate Phase\n\nThe Agency did not perform any post-implementation reviews or evaluations of\ncompleted IT projects. EPA\xe2\x80\x99s OEI has taken steps to implement a Post-Implementation\nReview Phase. In addition, management prepared a list of completed or terminated\n\n\n                                     14\n                                                                  Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n        projects that would require review for the first time during the fiscal year 2003 CPIC\n        process.\n\nCPIC Management Problems Stem from Several Causes\n        Many factors have contributed to the ineffectiveness of EPA\xe2\x80\x99s current CPIC process, as\n        discussed below.\n\n        CIO Needs to Institutionalize a CPIC Process\n\n        In June 2002, EPA issued EPA Order # 2100.A.1 to formally recognize CPIC policies in\n        the Agency Directives. As a next step, the CIO needs to establish Agency-related CPIC\n        procedures and guidance.\n\n        Insufficient Staff Dedicated to CPIC Process\n\n        In our opinion, the CIO had not dedicated sufficient resources to administering a fully\n        functional CPIC process. The lack of administrative and financial resources restricted\n        EPA\xe2\x80\x99s capability to implement a comprehensive system for managing its IT investment\n        portfolio. The Agency\xe2\x80\x99s IT program for fiscal 2002 totaled $449 million. Yet, the CIO\n        only established two full time positions (team leader and one staff) as the primary\n        resources to implement and execute an EPA CPIC process. The permanent positions\n        were supplemented by an ad hoc team for the peer risk assessment and the review of\n        proposals by the IIS. EPA should assign sufficient resources and expertise to address IT\n        acquisition and development.\n\n        Implementing I-TIPS Would Structure CPIC Process\n\n        Implementing the Federally-sponsored I-TIPS software, an automated investment control\n        and reporting system, would provide EPA with a valuable tool for monitoring and\n        managing its IT investment portfolio. This tool already is being used by more than half of\n        major Federal agencies. Implementing I-TIPS would help EPA select IT proposals,\n        monitor the execution of funded IT projects, and electronically report IT investment\n        submissions to OMB.\n\n        Although EPA\xe2\x80\x99s OEI appeared to seriously consider using I-TIPS, during the review\n        cycle, management could not provide evidence to support that they planned to implement\n        the software product in the near future. In March 1999, OEI conducted a study, Report\n        on the Results of I-TIPS Process Analysis and Feasibility. Then, in 2001, EPA\n        purchased a Service Level Agreement for I-TIPS. In response to the draft report, OEI\n        indicated that it would use I-TIPS during the current budget cycle for generating reports\n        to OMB. Agency-wide implementation of the product is tentatively scheduled for the\n        fiscal 2005 budget cycle.\n\n\n\n                                             15\n                                                                           Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\nRecommendations\n       We recommend the Chief Information Officer:\n\n       3-1.   Assign sufficient staff to develop a formal manual for the CPIC process in the\n              EPA Directives system, and cross reference it to updated IT policies in Directive\n              2100 on budget, management, procurement, and the System Development Life\n              Cycle. At a minimum, the manual should include:\n\n              (a)     a description of how IT investments are linked to the Enterprise\n                      Architecture and IRM Strategic Plan,\n              (b)     a minimum set of mandatory objective, risk-based criteria for use by both\n                      the technical peer review and the IIS review for the Agency\xe2\x80\x99s IT\n                      investment portfolio.\n              (c)     performance measures for monitoring and evaluating progress on IT\n                      investments, and\n              (d)     provisions for post-implementation review and evaluation of IT\n                      investments.\n\n       3-2.   Direct the IIS to not recommend funding IT projects identified by the Peer\n              Review process as having significant weaknesses (i.e., do not meet the minimum\n              established requirements) or duplicating existing projects, until critical deficiencies\n              are resolved and the resolution steps adequately documented. In addition, IIS\n              should clearly document how all risk weaknesses identified by the peer review\n              are addressed and/or resolved prior to the Subcommittee making\n              recommendations to fund projects to the Quality Information Council and CIO.\n\n       3-3.   Direct the Information Investment Subcommittee to monitor the execution of IT\n              projects during the fiscal year (at least quarterly) to identify emerging cost or\n              schedule problems and initiate corrective actions.\n\n       3-4.   Initiate a formal process with written evaluations of ongoing, completed, and\n              terminated information technology projects to evaluate whether the projects or\n              systems are successfully delivering promised benefits at an acceptable cost.\n\n       3-5.   Complete implementation of an automated portfolio management system (e.g., I-\n              TIPS) to provide timely, reliable information for investment decisions.\n\nAgency Response\n       The CIO\xe2\x80\x99s response noted that OEI has issued formal criteria for the CPIC process each\n       year since the requirement began. The CIO also stated that EPA used a highly\n       structured approach for its annual data call, although that process continued to evolve\n\n\n\n                                            16\n                                                                            Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n        from year to year. Lastly, the CIO indicated that EPA expects to integrate updated\n        OMB Circular A-11 requirements and the Agency\xe2\x80\x99s Enterprise Architecture into the next\n        IT investment review cycle.\n\nOIG Evaluation\n        Based on the CIO\xe2\x80\x99s response and additional discussions with management, we amended\n        the report and its recommendations. The primary area of confusion relates to our use of\n        the terms \xe2\x80\x98formally establish\xe2\x80\x99 and \xe2\x80\x98structured process.\xe2\x80\x99 We agree that EPA annually\n        issued formal guidance and criteria for the annual budget data call for the years under\n        review. The use of an annual data call may be structured for that one year, but evolving\n        criteria from year to year does not provide an adequate baseline for evaluating progress\n        from year to year. Also, this was the first time the CPIC process used a risk-based\n        process, and it was for the purpose of producing risk-ranked budget data. However, the\n        Act intended a portfolio management process, not simply a risk-ranking of projects in the\n        annual budget data call.\n\n        We modified the report to clarify our intent for the phrases \xe2\x80\x98formally establish\xe2\x80\x99 and\n        \xe2\x80\x98structured process.\xe2\x80\x99 Generally, our concern was the need for formal policies and\n        procedures to establish a consistent management structure. Without this management\n        structure for capital investments, EPA cannot establish a consistent baseline to evaluate\n        and prioritize IT projects over several years. This minimum baseline information is critical\n        for the CIO, IIS, Quality Information Council, and program managers when comparing\n        IT investments, preparing IT investment proposals, accumulating project costs, monitoring\n        the execution of IT investment projects, and evaluating completed projects.\n\n\n\n\n                                             17\n                                                                           Report No. 2002-P-00017\n\x0c     EPA Management of Information Technology\n         Resources Under The Clinger-Cohen Act\n\n\n\n\n18\n                          Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n\n                                Chapter 4\n        EPA Needs to Organize and Integrate\n            Planning for IT Investments\n\n       EPA\xe2\x80\x99s ability to organize and integrate planning for IT investments depends on the\n       quality and timing of several important factors. EPA must ensure that the Enterprise\n       Architecture is fully integrated with the Agency\xe2\x80\x99s Government Performance and Results\n       Act goals and objectives, IRM Strategic Plan, and IT acquisition processes.\n       Otherwise, EPA will continue to struggle with its ability to reinvent organization\n       processes, integrate and manage data, and build a scalable and reliable network\n       architecture. Although EPA has made some progress in developing an entity-wide\n       Enterprise Architecture, the Agency needs to do more to organize and integrate\n       planning for IT investments. For example, numerous essential components of the\n       Enterprise Architecture have not been fully addressed or integrated. EPA\xe2\x80\x99s fiscal 2003\n       and prior IT investments were not driven by business priorities to result in organizational\n       improvements. However, for the fiscal 2004 budget cycle, EPA\xe2\x80\x99s Enterprise\n       Architecture Team has provided guidance and worked closely with proposal preparers.\n\nBackground\n       During 2001, EPA completed many actions towards establishing a baseline enterprise\n       architecture for IT planning purposes. In April, EPA provided OMB with\n       documentation of EPA\xe2\x80\x99s first Enterprise Architecture, dated March 29, 2001. The\n       document was not provided to EPA program offices until an Agency-wide conference\n       in July 2001, about 2 months after the IT investment proposals for the fiscal 2003\n       budget submission were submitted for the Agency CPIC review process. Furthermore,\n       when the OIG met with EPA\xe2\x80\x99s Office of Acquisition Management in October 2001,\n       neither the IT Contracting Officer nor the Procurement Office were aware of the\n       document.\n\n       OMB reviewed the Agency\xe2\x80\x99s fiscal 2001 IT Investment Portfolio and noted that they\n       could not match the projects in the proposed Enterprise Architecture to the portfolio.\n       In August 2001, OEI established a workgroup to identify and verify EPA\xe2\x80\x99s business\n       processes for the Enterprise Architecture baseline. The work group\xe2\x80\x99s efforts occurred\n       after completion of our field work, although we were informed that the group is\n       updating the business processes and aligning them with OMB\xe2\x80\x99s Business Reference\n       Model.\n\n\n\n\n                                             19\n                                                                           Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\nExecutive Buy-in and Management Controls Required\n         The Chief Information Officer Council recognizes the importance of executive buy-in and\n         support to the IT investment process. The Council also states that an organization should\n         create an architectural team to define and integrate the components. The enterprise\n         architecture is an expansion of the IRM strategic plan that provides an enterprise view of\n         information technology in the context of EPA\xe2\x80\x99s business environment. The enterprise\n         architecture defines the current and target (future) components. A transition plan\n         sequences the evolution from current to target. As such, the enterprise architecture\n         should be a document that is continuously modified and maintained to reflect the\n         Agency\xe2\x80\x99s current baseline and target business practices, organizational goals, visions,\n         technology, and infrastructure. Figure 3 below depicts the major components of the\n         Enterprise Architecture that must be addressed to accomplish EPA\xe2\x80\x99s strategic goals and\n         perform its business.\n\n\n\n\n                                 Figure 3. Enterprise Architecture Framework\n\nVarious Components Essential to Quality of IT Planning\n         EPA\xe2\x80\x99s ability to organize and integrate planning for IT investments depends on the quality\n         and timing of several important factors. Clearly defining the Enterprise Architecture is\n         particularly important because it provides the conceptual framework for integrating the\n         Agency\xe2\x80\x99s information technology environment and core business processes to accomplish\n         strategic goals. In the following subsections, we present issues that EPA management\n         must address to ensure the integrity and effectiveness of its IT investment planning system.\n\n\n\n                                              20\n                                                                            Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\nIRM Strategic Plan Goals Need to be Incorporated\ninto the Enterprise Architecture\n\nEPA needs to incorporate the updated IRM Strategic Plan goals into a target enterprise\narchitecture. During our review, EPA was severely criticized by Congress, National\nAcademy for Public Administration, GAO, and environmental and industry groups for not\nhaving such a plan. On July 29, 2002, the Agency completed its revised plan: EPA\nStrategic Information Plan: A Framework For The Future.\n\nEPA Has Yet to Fully Baseline its Business Processes\n\nAs of the end of field work, EPA had yet to fully baseline and validate the Agency\xe2\x80\x99s\nbusiness processes essential for establishing a portfolio for future IT investments. EPA\xe2\x80\x99s\ndraft Enterprise Architecture document included very high-level business processes;\nhowever, these processes had yet to be validated by the responsible program offices.\nWe were informed that some of these business processes have been revised, but were\nunable to substantiate whether the applicable program offices formally endorsed the work\ngroup\xe2\x80\x99s conclusions. EPA understands the importance of this activity, and plans to\nperform a validation process this year.\n\nDraft Enterprise Architecture Baseline Security Architecture\nNeeds to be Expanded\n\nAlthough OEI\xe2\x80\x99s draft baseline Security Architecture addresses many pertinent risks in\nEPA\xe2\x80\x99s Security program, it does not adequately address two important components:\nfacility physical security and personnel security requirements. The Enterprise Architecture\ndocument states the Agency maintains a security infrastructure of approximately 1,600\nservers for network support, application hosting, scientific computing, and graphics. OEI\ncentrally supports these servers. The document also indicates that the Agency owns an\nadditional 900 servers not supported by OEI personnel, but it does not adequately\naddress who supports these servers. OEI confirmed that these servers store sensitive\ndata. Therefore, the physical and personnel security requirements of these servers need\nto be added into the baseline security architecture.\n\nKey Data Needs to be Developed, Analyzed, and Controlled\n\nAs shown in Figure 3, the Enterprise Architecture conceptual framework should consist\nof five components. As such, the Enterprise Architecture should define mission-critical\ndata needs to properly support the IT investment process. However, the draft Enterprise\nArchitecture plan we reviewed did not (1) specifically recognize (i.e., require)\n\n\n\n\n                                     21\n                                                                   Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\n      individual Agency data standards and related metadata2 baseline information, and\n      (2) adequately address other critical data used by stakeholders and programs business\n      processes. EPA states it will address program-specific data needs across several\n      dimensions.\n\n      As of the end of field work, EPA had approved six Agency data standards, and recently\n      it adopted a seventh standard. In addition, the Office of Water had implemented some\n      program data standards. Although these efforts were underway, EPA\xe2\x80\x99s intended\n      infrastructure for managing and sharing environmental data did not adequately address\n      how EPA\xe2\x80\x99s program users and stakeholders were to use existing and future data\n      registries to manage data. In fact, this issue has been a long-standing OIG concern, as\n      noted in a prior report, Information Resources Management: Office of Water Data\n      Integration Efforts (No. 8100177), dated June 22, 1998. We had recommended that\n      EPA support its data standards program by using the Environmental Data Registry as a\n      central repository for publishing and recording Agency data standards. The Enterprise\n      Architecture Plan we reviewed did not incorporate this recommendation. However, EPA\n      states that its current draft version of the Enterprise Architecture clearly describes the\n      registry as a critical component of its target architecture.\n\n      In its draft Enterprise Architecture, EPA recognizes that more detailed descriptions of\n      critical data are necessary. Among other things, EPA will need to validate the information\n      flow and relationships, as well as data descriptions and relationships, described in the\n      initial Enterprise Architecture. Without this step, EPA cannot begin to establish a target\n      architecture and define the required sequencing plan for migrating from the baseline to the\n      target architecture.\n\n      Complete Inventory of Systems Needed for Enterprise Architecture\n\n      EPA needs to complete an update of its inventory of general and application information\n      systems. This baseline of systems should identify current critical business processes,\n      related systems (major and significant), and mission-critical data in those systems. At\n      that point, the baseline can be used to identify IT investment projects that will meet the\n      Agency\xe2\x80\x99s current needs, eliminate redundant systems, and build an IT structure to\n      accomplish EPA\xe2\x80\x99s goals. However, we noted a number of inconsistent inventories.\n      EPA\xe2\x80\x99s March 2001 submission to OMB included a Year 2000 Systems Inventory that\n      listed 70 major and significant application systems. However, the Enterprise\n      Architecture, dated March 2001, only listed 46 major systems. In September 2001, the\n      CIO reported to OMB in its On Implementation of the Government Information\n      Security Reform Act report that it had 189 systems. In its response to the draft\n      report, OEI stated the Enterprise Architecture will incorporate all systems into an\n      Information Resources Registry System, which is scheduled to be operational by the\n\n2\n Explanation of specific data fields, including information regarding its source, collection\nmethod(s), and in what context the data can be used.\n\n                                            22\n                                                                          Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\nend of fiscal 2002. OEI did not indicate how long it would take to fully populate the\nRegistry System. OEI also plans to link the Registry System and the Enterprise\nArchitecture.\n\nIn addition, the Enterprise Architecture document states that sufficient information on\nAgency application interfaces is not available. The document states the CIO plans to\ngather and document this information as part of the Agency\xe2\x80\x99s ongoing application\ninventory initiative, including documentation regarding major interfaces with applications\noutside of the Agency. For example, this year, EPA intends to gather more information\non internal system interfaces and partner interfaces within the framework of its National\nEnvironmental Information Exchange Network.\n\nEnterprise Architecture Needs to Address Scalability\nof Virtual Private Network\n\nThe draft Enterprise Architecture does not adequately address EPA\xe2\x80\x99s existing and future\ntechnology components for its next-generation wide area network. The Agency needs\nto address \xe2\x80\x9cscalability\xe2\x80\x9d and Virtual Private Network (VPN) concepts to grow with the\nAgency\xe2\x80\x99s evolving needs. Scalability refers to the ability to expand a network to\naccommodate future needs; a VPN is an electronic network, without physical limitations,\nspecifically designed to secure transmissions. With regard to scalability, the Enterprise\nArchitecture document did not explicitly identify minimum response times for key\ntransaction-based systems and for business application systems on the Agency\xe2\x80\x99s wide\narea network. Moreover, EPA\xe2\x80\x99s July 2001 Network Requirements Study indicated that\nbandwidth utilization for some circuits experienced bottlenecks for certain portions of the\nnetwork and responsiveness for newer systems ranged from very poor to good. Also,\nwhereas management has recognized the need for virtual private networks, they only\nreference it in light of long-term needs. We believe the VPN concept is needed today to\nhelp the Agency comply with existing Federal telecommuting statutory requirements and\nto satisfy current business needs.\n\nWe agree with Agency officials that technical issues, such as transaction response\nrequirements and scalability, normally are addressed in a Technical Architecture. OEI\xe2\x80\x99s\nresponse to the draft report mentioned a \xe2\x80\x9cTechnical Reference Model\xe2\x80\x9d and, we agree,\nthat may be a suitable planning document in which to address these issues. OEI agrees\nwith the importance of secure external communications and states they will take critical\nsteps to start implementing VPNs next year and, pending available resources, will make\nfull operations available on an enterprise basis in 2004.\n\nEnterprise Architecture Should Address Middleware\n\nEPA\xe2\x80\x99s Enterprise Architecture should identify the middleware architecture needed to\naddress those client-server systems already implemented, as well as those envisioned\nand planned to strengthen the overall usability of the distributed architecture.\n\n\n                                     23\n                                                                    Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n         Middleware architecture includes such things as message brokers, eXtensible Markup\n         Language, and directory structures used to facilitate interconnection of systems and\n         applications. EPA\xe2\x80\x99s draft Enterprise Architecture overlooked this aspect of IT planning,\n         but management may want to address these topics as part of the \xe2\x80\x9cTechnical Reference\n         Model\xe2\x80\x9d mentioned in OEI\xe2\x80\x99s response to the draft report. To minimize the risk of\n         incompatible communications, a standard middleware architecture could greatly benefit\n         application developers with a single consistent interface for both inter- and intra-\n         application communications.\n\nVarious Causes Contributed to Lack of Planning\n         No Central Planning Organization or Appointed Authority\n\n         EPA\xe2\x80\x99s IT planning activities suffered from a lack of a central organization and authority.\n         EPA\xe2\x80\x99s IT planning is currently managed using a decentralized and fragmented structure\n         involving numerous individuals and offices. Agency-level coordination was generally\n         accomplished through project briefings to the Quality Information Council and its four\n         subcommittees. With regard to the fiscal 2002 budget process, informal meeting minutes\n         would support that the Council deferred formal management planning decisions in lieu of\n         receiving briefings by numerous project managers and the Council\xe2\x80\x99s subcommittees.\n\n         Also, EPA needs to define the role and authority of its Chief Architect for IRM. The\n         role of this Chief Architect is to oversee development and coordination of the Enterprise\n         Architecture with other planning elements that should materially shape and drive the IT\n         planning structure. The CIO named an individual to this role in February 2002 (via\n         electronic mail), but there has been no formal definition of the position\xe2\x80\x99s scope and\n         responsibilities in policy, nor any official delegation of authority.\n\n         Further, we identified several IT planning-related, Agency-wide documents, projects,\n         and work groups that should be coordinated to ensure their individual visions and plans\n         are aligned. Together they will enable EPA to optimally execute its program goals and\n         deliver environmental and human health improvements.\n\n         To EPA\xe2\x80\x99s credit, management established a central Enterprise Architecture workgroup\n         in August 2001. While EPA has planned activities to coordinate and develop the\n         Enterprise Architecture, management must also establish a permanent central\n         organization with dedicated resources and assigned responsibility to maintain this living\n         document. Agency-wide Enterprise Architecture components need to be addressed and\n         maintained for the following functional areas: the identification of EPA\xe2\x80\x99s major and\n         significant systems; defining the security architecture; validating the business processes\n         with program offices; developing the Middleware architecture and defining baseline\n         telecommunication requirements; defining Working Capital Fund capital investments; and\n         approving individual IT project management plans for major projects or systems.\n\n\n\n                                              24\n                                                                            Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\n       Finalizing Information Integrated Program Plan Needed\n\n       In its fiscal 2003 budget submission, EPA identified the Information Integration Program\n       as its only major architectural project for deriving and completing an enterprise\n       architecture. As critical as the project is to EPA\xe2\x80\x99s Enterprise Architecture development\n       efforts, no final management work plan has been implemented for this project since the\n       draft was issued in December 2000. Management is required to issue a final, approved\n       work plan in accordance with Agency Directive 2100, and should do so to ensure the\n       timely success of the individual program, as well as the overall quality of the Enterprise\n       Architecture Plan and the Agency\xe2\x80\x99s future technology investments.\n\n       The Chief Architect provided information that indicates EPA\xe2\x80\x99s program and regional\n       offices will be asked to co-develop the Agency\'s baseline and target elements for the\n       Enterprise Architecture. With OEI\'s leadership and facilitation, the program and\n       regional offices will conduct their own architectural needs analysis, and realign their\n       respective systems with EPA\xe2\x80\x99s evolving target. During our fieldwork, we were unable\n       to substantiate how this will be accomplished. In OEI\xe2\x80\x99s response to the draft report,\n       management assured us that participants have been informed of their roles and\n       responsibilities. In addition, they stated the Chief Architect is developing explicit\n       guidance to formalize roles and responsibilities for regional and program offices.\n       Management also stated that the Enterprise Architecture was scheduled for completion\n       by October 2002.\n\nRecommendations\n       As the number one priority, we recommend that the Chief Information Officer direct the\n       Chief Technology Officer to:\n\n       4-1.    Formally institutionalize:\n\n               (a)     in policy the Enterprise Architecture program to plan, manage, monitor,\n                       and control the development and maintenance of the Enterprise\n                       Architecture plan.\n               (b)     the Chief Architect position by clearly defining and documenting the\n                       roles, responsibilities, and authority of the job in policy or through a\n                       delegation.\n\n       Next, we recommend the CIO target the following key actions to complete the\n       Agency\xe2\x80\x99s baseline and future plans for the Enterprise Architecture:\n\n       4-2.    Establish a permanent organization under the leadership of the Deputy Chief\n               Information Officer for Technology to update and maintain the Enterprise\n               Architecture in accordance with the Agency IRM Strategic Plan and its\n               Government Performance and Results Act requirements.\n\n\n                                            25\n                                                                          Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n        4-3.   Identify current major and significant general and application systems to establish\n               an accurate inventory of such systems and integrate this information with both the\n               Agency\xe2\x80\x99s Enterprise Architecture application component and the IT CPIC\n               Portfolio.\n\n        4-4.   Complete the project to publish an updated Enterprise Architecture and\n               document the project as required by Agency policy.\n\n        4-5.   Finish implementing a robust Agency information repository and\n               (o)     require the use of the data registry for Agency maintained data,\n               (p)     map EPA\xe2\x80\x99s data and information resources, and\n               (q)     complete on-going efforts to adopt life-cycle data management\n                       principles for the Enterprise Architecture data and systems components.\n\n        The CIO should implement the following recommendations as the Enterprise\n        Architecture is developed and updated:\n\n        4-6.   Use a top management verification, validation, and approval process to ensure\n               program business processes and goals are accurately reflected and incorporated\n               into the Enterprise Architecture. Subsequently, formalize the process as a\n               discipline for updating the Enterprise Architecture document.\n\n        4-7.   In coordination with the Office of Acquisition Management, jointly develop an\n               approval process that ensures the Enterprise Architecture concept is\n               incorporated in future IT contract activities for large and significant IT projects.\n\n        4-8.   As part of a Technical Reference Model or Technology Architecture, address\n               technology components, such as interfaces, transaction response times, and\n               baseline telecommunications requirements to support a scalable, reliable, and\n               secure network infrastructure for the Enterprise Architecture.\n\nAgency Response\n        The CIO generally agreed with our recommendations, but believed many actions\n        currently underway were not recognized in the report\xe2\x80\x99s findings. OEI had made\n        progress in addressing our concerns and, therefore, the CIO suggested that we revise\n        specific findings or recommendations to reflect recent accomplishments.\n\nOIG Evaluation\n        We made changes to the report findings and recommendations based on the CIO\xe2\x80\x99s\n        response, acknowledging recently-completed actions and planned activities. We agree\n        that EPA has taken significant first steps to address our report\xe2\x80\x99s findings and\n        recommendations on IT planning. However, many actions were initiated after we\n        finished audit field work, and some actions are still in progress.\n\n                                             26\n                                                                             Report No. 2002-P-00017\n\x0c                                        EPA Management of Information Technology\n                                            Resources Under The Clinger-Cohen Act\n\nWe attempted to be as specific as possible in our recommendations to provide\nappropriate direction and recognize current ongoing efforts. For example, we agreed\nthat some of the technical components can be addressed appropriately in a Technical\nReference Model or Technology Architecture, rather than the Enterprise Architecture,\nand amended the recommendation accordingly. The CIO has established an ambitious\nschedule to address this report\xe2\x80\x99s recommendations, and it will require a significant\namount of dedicated resources to not only complete them, but to maintain the EPA\xe2\x80\x99s\nplanning structure for IT capital investments.\n\n\n\n\n                                   27\n                                                                Report No. 2002-P-00017\n\x0c     EPA Management of Information Technology\n         Resources Under The Clinger-Cohen Act\n\n\n\n\n28\n                          Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n\n                                Chapter 5\n                 EPA Needs To Strengthen\n             IT Project Management Controls\n\n        For the six EPA IT major projects reviewed, we found significant project management\n        control weaknesses, a lack of compliance with Agency system development policies,\n        and inaccurate project status information reported on the Clinger-Cohen budget\n        submission. EPA incorrectly reported an approved System Management Plan (SMP)\n        was being followed for projects. Further, SMPs were either out of date or had never\n        been formally approved and signed. We also found significant variability in EPA\xe2\x80\x99s\n        working capital fund expenditures, which adversely impacted the system development\n        project\xe2\x80\x99s planning and budgeting activities. Several key factors contributed to the lack\n        of management controls over IT projects:\n\n        \xe2\x80\xa2 OEI had not updated IRM policies or established interim guidance to convey new\n          requirements, and project managers did not practice existing policies;\n        \xe2\x80\xa2 managers were not using a phased, sequential system development process;\n        \xe2\x80\xa2 EPA had not adopted standard tools for reliably managing IT project information\n          resources, schedules, products, and costs; and\n        \xe2\x80\xa2 until fiscal 2002, EPA had not provided a means for project managers to track\n          project and contractor support costs.\n\n        The CIO needs to establish controls to monitor project managers and ensure they use\n        key management controls (e.g., SMPs), and maintain current cost-benefit analyses and\n        project cost records. Otherwise, the CIO has little assurance that IT investment\n        projects represent cost-effective solutions.\n\nPrimary System Guidance\n        OMB Circular A-130, Management of Federal Information Resources\n        Management, establishes requirements for:\n\n        \xe2\x80\xa2   preparing and updating a cost-benefit analysis for each information system\n            throughout its life cycle;\n        \xe2\x80\xa2   conducting post implementation reviews of information systems development\n            projects to validate benefits; and\n        \xe2\x80\xa2   establishing an oversight mechanism to ensure major systems development projects\n            proceed in a timely fashion toward agreed-upon milestones and deliver intended\n            benefits.\n\n        OMB Circular A-11, Preparing and Submitting Budget Estimates, required two\n        reports for fiscal 2002 budget submissions:\n                                             29\n                                                                           Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n        \xe2\x80\xa2   Section 53. This report summarizes an agency\xe2\x80\x99s IT portfolio by listing major and\n            significant capital investments for IT system, infrastructure, and architecture\n            projects.\n\n        \xe2\x80\xa2   Section 300. This is a separate planning and justification report for each major\n            capital investment with a useful life of 2 or more years. Agencies are expected to\n            establish and measure baseline costs, establish a measurable project schedule, and\n            ensure projects support performance goals.\n\n        OMB Circular A-127, Financial Management Systems, Parts 6 and 7, address\n        financial system requirements. EPA Directive 2100, Chapter 17, identifies an eight-\n        stage life cycle methodology, and establishes specific thresholds for formal review and\n        approval of an SMP for system development or enhancement projects.\n\nDocuments Incorrectly Reported\n        In its fiscal 2002 and 2003 CPIC project submissions, EPA managers misrepresented\n        the status of key management documents. We reviewed documentation for three of six\n        selected projects. We could not audit two infrastructure projects because, despite\n        repeated requests, EPA managers did not furnish adequate supporting documentation.\n        The sixth, which was EPA\xe2\x80\x99s current architecture project, Integrated Information Project,\n        did not have a current, approved SMP. Following are examples of what we found:\n\n        SMPs\n\n        \xe2\x80\xa2   The SMP for AIRS-AQS (Aerometric Information Retrieval System - Air Quality\n            System) had not been updated since originally prepared in 1996. Maintaining a\n            current and formally approved SMP is important because it discloses significant\n            changes to the system development project and ensures accountability.\n\n        \xe2\x80\xa2   As of December 17, 2001, the SMP document for the RCRAInfo (currently\n            defined as the Resource Conservation and Recovery Act Information Management\n            System and Waste Information Needs/Informed) did not include the Assistant\n            Administrator\xe2\x80\x99s signature approving the project and key decisions, as required by\n            EPA Directive 2100. Project management attributed the lack of signed hard copies\n            to a reliance on electronic documents and e-mail to manage meeting minutes and\n            decision notes.\n\n        Cost-Benefit Analyses\n\n        \xe2\x80\xa2   Project management stated that, given the modular nature of the RCRAInfo project,\n            cost benefit analyses were performed for each major component rather than for the\n            project as a whole. EPA\xe2\x80\x99s fiscal 2003 investment submission for this project\n            disclosed total life cycle costs of $70.5 million, an increase of $40.4 million over\n            previously projected costs. Management attributed the increase to: estimated\n\n                                             30\n                                                                           Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n            regional and state costs, changes to working capital fund rates, and adding years to\n            the system life cycle. An updated cost-benefits analysis would help determine the\n            most cost-effective strategy for implementing the RCRAInfo investment.\n\n        \xe2\x80\xa2   The cost-benefits analysis for SDWIS/STATE (Safe Drinking Water Information\n            System/State Version Modernization Effort) had not been updated since 1992,\n            despite many changes in design, functionality, and plans to migrate to a web-\n            enabled application. The outdated analysis erroneously leads EPA management to\n            believe that the original return on investment will still be achieved. An updated cost-\n            benefit analysis should be completed as extra functionality is added to the system,\n            such as the planned integration of SDWIS/STATE into the Agency\xe2\x80\x99s Central Data\n            Exchange initiative.\n\n        Primary Architecture Project Lacks Plan\n\n        Although EPA\xe2\x80\x99s Information Integration Program is the heart of EPA\xe2\x80\x99s Enterprise\n        Architecture and planning investment strategy, EPA did not recognize the Program as a\n        separate architectural project until the fiscal 2003 budget submission, provided\n        September 2001. As such, no project plan had been finalized to define the vision,\n        scope, or implementation and cost schedules for this architectural project. The project\n        plan would help management ensure that the intended benefits of this complex endeavor\n        do not outweigh the projected costs, as well as provide specified time frames for\n        completing detailed tasks and products.\n\n        Project Managers Not Adequately Monitoring Status\n\n        EPA project managers were not adequately monitoring the execution of IT capital\n        investment projects. EPA\xe2\x80\x99s 300b IT investments reports showed that projects\n        consistently did not meet cost estimates, scheduled milestones, and planned\n        performance. We compared planned expenditures for 46 IT investment projects in\n        fiscal 2001 against their corresponding actual costs, and found that 37 percent showed\n        more than a 10 percent increase. Furthermore, the investment reports indicated that 78\n        percent of these projects experienced milestone slippages greater than 10 percent. The\n        data strongly indicates project managers need better standard management tools.\n\nMany Factors Negatively Impact Management of IT Investments\n        Numerous factors contributed to the inconsistency of management controls for IT\n        investment projects. These concerns were voiced by many of the project managers\n        interviewed.\n\n        IT Project Managers Need Standard Tools\n\n        For the period reviewed, EPA had not adopted standard project management tools to\n        help managers plan, control, and evaluate IT investment projects and track project\n\n                                             31\n                                                                            Report No. 2002-P-00017\n\x0c                                          EPA Management of Information Technology\n                                              Resources Under The Clinger-Cohen Act\n\ncosts, schedules, and resources. SDWIS/STATE is an example of a project that could\nhave been managed better with the help of a project management tool. Standard project\nmanagement tools help promote a consistent and uniform approach to tracking and\nmanaging all forms of project and contractor support costs. A standard tool helps to\nreduce the communication gap between contractor support activities and what the\nAgency reported for this IT investment.\n\nIT Projects Not Using A Phased Sequential Project Life Cycle\n\nThe status of a project is often unclear because project managers do not use a\nsequential, phased development process to clearly distinguish where one series of system\ndevelopment life cycle activities ends and another series begins.\n\nEPA Directive 2100, Chapter 17, requires that system development projects follow a\nsequential, phased systems development life cycle called the \xe2\x80\x9cwaterfall\xe2\x80\x9d method. This\nmethod consists of eight sequential stages. Any planned new functionality should be\nconsidered a new project, and a new project also should be established when estimated\ncosts exceed stipulated dollar thresholds.\n\nIndustry recognizes at least three other models for systems development that are\nsequentially-phased from a project perspective. These approaches are generally\nreferred to as: (a) spiral, (b) prototype, and (c) rapid application development models.\nSpiral modeling works as a repeating waterfall approach, with a risk analysis at every\nstage to determine whether cost overruns, schedule delays, or changing requirements will\nimpact the benefits of proceeding. Prototyping uses existing software and lets a group of\nusers define the system requirements for an organization. Rapid application development\nis based on reusing and modifying software components until they perform as desired.\n\nThe projects reviewed did not demonstrate any of these acceptable \xe2\x80\x9cphased\xe2\x80\x9d software\ndevelopment approaches. Rather, we found that EPA generally used an evolutionary\napproach in which management continuously added requirements to the overall system\ndevelopment project. For example, the RCRAInfo project was simultaneously in more\nthan one stage of the system development life cycle, and management could not\ndistinguish the cumulative costs associated with one set of activities versus another. The\nproject is very broad and encompasses five program area requirements. In 1999,\ncontractors completed the first system development life cycle stage (i.e., the\nRequirements Analysis) for three of the five areas, while the two most critical functional\nrequirements remained in the first stage. Despite several years of effort, management\nwas still defining RCRAInfo requirements. Business needs can change based on\ntechnology advances, so best practices suggest that requirements be defined in less than\n2 years. We believe management should have split the program area requirements into\ntwo or more distinct projects, so development efforts could progress in a timely fashion\nfrom one stage to the next, and managers could easily track associated costs and\nschedules.\n\n\n                                     32\n                                                                   Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n\n         Evolving Nature of EPA\xe2\x80\x99s Exchange Network\n\n         The evolving nature of EPA\xe2\x80\x99s architecture project deterred management from finalizing\n         its formal project plan to ensure the cost-effective and timely execution of the Exchange\n         Network. What is now referred to as the Information Integration Project represents the\n         third iteration of the project, and the objectives and intended outcomes have undergone\n         several revisions. Also, the number of infrastructure projects (e.g., registries) affecting\n         the Information Integration Project have been evolving, and management must clarify the\n         role these supporting projects play.\n\nMinimal Assurance that IT Investments\nare Cost-Effective and Controlled\n         The absence of key decision documents and senior management approval (e.g., cost\n         benefit documents, management decision papers, system management plans) increase\n         the risk that funded IT projects will evolve in an unstructured, untimely, and costly\n         manner. Furthermore, expanding and/or changing original project objectives to\n         incorporate evolving business functions results in confusion, complications for proper\n         cost accumulation, and slipped project development time lines and even system\n         development projects that never come to closure. In addition, if projects are too broad\n         in scope to progress through the life cycle in a timely manner, then what originally was\n         thought to be a cost-effective solution may become a bad return on investment. Further,\n         the lack of project management tools inhibits project managers\xe2\x80\x99 ability to provide reliable\n         data on a project\xe2\x80\x99s status, and contributes to unjustified delays and unsupported cost\n         overruns on IT projects. Chapter 2 contains additional effects relating to EPA\xe2\x80\x99s\n         inadequate oversight processes.\n\nRecommendations\n         We recommend the Chief Information Officer:\n\n         5-1.    Monitor IT investments to ensure that SMPs are prepared in accordance with\n                 Agency requirements, and that they appropriately link the Enterprise\n                 Architecture and other planning documents to the Clinger-Cohen Act submission\n                 documents.\n\n         5-2.    As part of a monitoring process, re-evaluate funding for IT investments at least\n                 quarterly, to determine if they have exceeded budgeted costs or project\n                 milestone schedules by more than 10 percent, and ensure that written\n                 justifications sufficiently support continuing the project.\n\n\n\n\n                                              33\n                                                                             Report No. 2002-P-00017\n\x0c                                                EPA Management of Information Technology\n                                                    Resources Under The Clinger-Cohen Act\n\n       5-3.   Prescribe that standard tools, such as I-TIPS and project cost accounting, be\n              used for managing projects for software development changes to IT systems and\n              project management. The selected tools should be approved by the Chief\n              Financial Officer as being compatible with the Agency\xe2\x80\x99s cost accounting and\n              financial systems.\n\n       We recommend the Air Quality System Project Manager:\n\n       5-4.   Update the SMP for the Air Quality System project and obtain the signature of\n              approval of the Assistant Administrator for Air and Radiation at the conclusion\n              of the analysis stage for major and significant enhancements adding new\n              functionality.\n\n       We recommend the RCRA Information Project Manager:\n\n       5-5.   Update the Project Management Plan for the RCRAInfo project to make it\n              equivalent to an SMP, for planned system design changes and enhancements\n              adding functionality. In addition, the SMP should be formally approved by the\n              Assistant Administrator for Solid Waste and Emergency Response to authorize\n              the IT investment and to ensure a system of accountability.\n\n       We recommend the SDWIS/STATE Project Manager:\n\n       5-6.   Establish an SMP for the SDWIS/STATE project and obtain the signature of\n              approval from the Assistant Administrator for Water at the conclusion of the\n              analysis stage and for major and significant enhancements adding functionality.\n\n       We recommend the Project Managers for the Air Quality System, RCRAInfo, and\n       SDWIS/STATE:\n\n       5-7.   Manage project development efforts in accordance with the SMP, as updated,\n              throughout the life cycle of the system, and retain the SMP for reference and\n              review by the CIO or the CIO\xe2\x80\x99s designated review official.\n\nAgency Response\n       We received comments from several Agency officials in response to this chapter\xe2\x80\x99s\n       findings and recommendations. The CIO agreed to monitor IT investments and\n       expected to also establish a preselect phase. However, the CIO stated we had not\n       recognized that the current review process required monitoring a project as part of an\n       annual review. Further, the CIO did not agree that one set of project management tools\n       would be cost effective or meet all projects needs. The Assistant Administrator for\n       Solid Waste and Emergency Response and the Director of the Office of Air and\n       Radiation\xe2\x80\x99s Information Transfer and Program Integration Division both disagreed with\n       our conclusion that project management controls were inadequate.\n\n                                           34\n                                                                         Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n\nOIG Evaluation\n        We made changes to this chapter based on the Agency\xe2\x80\x99s responses, as well as further\n        discussion with management officials. We had used a judgmental sample of the six\n        different kinds of major IT investment projects, and the sample accounted for over half\n        of the fiscal 2002 major IT projects\xe2\x80\x99 budgeted funding. We had completed a limited\n        survey, requested supporting documents, and interviewed key project managers.\n        However, we were unable to complete the survey and had to limit our scope of review\n        because three major system projects did not provide requested information. For the\n        three major system projects completing the survey, we did not (1) review all the\n        individual project\xe2\x80\x99s management controls, or (2) determine whether the individual\n        project accomplished the objectives identified in the budget submission.\n\n        Our review concentrated on project management controls and documentation\n        requirements in OMB Circulars and existing EPA System Development Life Cycle\n        policy. We were able to document inaccurate and/or unsupported information being\n        incorrectly reported by the three major IT system projects in the fiscal 2002 budget.\n        For example, the projects (1) did not adequately address OMB requirements by\n        consistently accumulating costs from year to year; (2) could not support total costs from\n        inception of the project; and (3) could not provide current cost-benefit studies\n        addressing costs, needs, and expected benefits. We also found that the projects could\n        not document compliance with existing Agency and Federal system requirements, such\n        as the development and top management approval of a current cost-benefit analysis.\n\n        Each project was using a different set of project management procedures for the day-to-\n        day execution of the project. We did not evaluate these local project controls. Still, we\n        believe that if EPA was monitoring the projects\xe2\x80\x99 execution (at least quarterly) and\n        evaluating completed IT projects, individual project managers would address these\n        critical management controls. Furthermore, if program managers are compelled to\n        report accurate data for critical management controls (e.g., emerging cost and schedule\n        overruns), then the CPIC peer review process can more accurately assess the risk of\n        successful completion for susceptible IT projects.\n\n\n\n\n                                             35\n                                                                          Report No. 2002-P-00017\n\x0c     EPA Management of Information Technology\n         Resources Under The Clinger-Cohen Act\n\n\n\n\n36\n                          Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n\n                                Chapter 6\n       Project Cost Accounting System Vital for\n        Planning and Managing IT Investments\n\n        Although EPA implemented an IT project cost accounting methodology in fiscal 2002,\n        EPA managers previously relied on an inconsistent variety of informal cost accumulation\n        processes and records to oversee and measure progress on individual IT system\n        development or enhancement projects. Even now, the accuracy of captured IT costs\n        depends largely on the ability of non-technical staff to consistently and accurately\n        distinguish how IT costs fit into system life-cycle categories, and to appropriately code\n        funding documents. Accuracy also depends on contractors adequately identifying\n        specific software development costs.\n\nCost Accounting a Federal Requirement\n        Cost accounting data is required by Federal laws, standards, and Agency policies. The\n        Clinger-Cohen Act notes that before an IT investment is made, it is to be evaluated using\n        a risk-adjusted return on investment as well as other specific quantitative and qualitative\n        criteria. OMB Circular A-11 defines the life cycle phases to be used for reporting IT\n        costs and budgets. EPA Directive 2100 requires system managers to prepare a needs\n        assessment and SMP before a new system development or enhancement project can be\n        approved. Statement of Federal Financial Accounting Standard No. 10 requires\n        agencies to capitalize the full costs of internal use software.\n\nManagers Did Not Have Necessary Project Information\n        Prior to the start of fiscal 2002, EPA did not have a standardized project cost\n        accounting methodology for managers to use in overseeing IT projects and systems\n        covered under the IT CPIC process. In the projects reviewed, we found that managers\n        relied on an inconsistent variety of informal cost accumulation processes and records to\n        identify expenses, assess changes to baseline costs and schedules, and measure progress\n        of individual IT development or enhancement projects. In addition, managers needed a\n        standard project management system to allow them to establish reasonable baselines for\n        projects, including tracking and managing project contractors\xe2\x80\x99 costs; accumulating labor,\n        working capital fund, and project hardware purchase costs; and controlling changes to\n        system milestones and documentation.\n\n        Effectiveness of Interim Accounting Practices Untested\n\n        EPA\xe2\x80\x99s Office of the Comptroller issued interim policies and procedures on accounting for\n        IT activities through Policy Announcement No. 01-10, New Information Technology\n        Accounting Requirements. Effective October 1, 2001, this announcement established a\n                                             37\n                                                                           Report No. 2002-P-00017\n\x0c                                                     EPA Management of Information Technology\n                                                         Resources Under The Clinger-Cohen Act\n\n         standard agency-wide method of tracking IT costs using the site/project field in the\n         existing accounting code structure. The announcement also defined three life cycle\n         categories, as well as IT activities, goods and services, and established processes for\n         capitalizing the full cost of internal use software.\n\n         The majority of EPA\xe2\x80\x99s IT project costs are based on contractor and grant costs.\n         Whether the captured IT costs are accurate will depend largely on the ability of IT\n         Project Officers, Delivery Order Project Officers, and Contracting Officer\xe2\x80\x99s Technical\n         Representatives to accurately assemble supporting cost documents, accumulate\n         appropriate project life cycle costs, and input the project costs into the Agency\xe2\x80\x99s\n         accounting system by life cycle phases. Especially in the early implementation stages,\n         individuals may not have enough knowledge of the IT projects they manage to\n         consistently and accurately distinguish between the significant and major cost categories\n         (i.e., the preliminary design, development, and maintenance phases). Our concern is\n         compounded by the fact that the three system life cycle categories set forth in the Policy\n         Announcement are inconsistent with the phases described in EPA Directive 2100. OEI\n         and the Office of Chief Financial Officer are participating in an agency-wide workgroup\n         to revise and identify acceptable systems development approaches, resolve current\n         differences in life cycle phases, and develop common definitions across various\n         management programs (e.g., accounting, systems development, Enterprise Architecture,\n         and CPIC process).\n\n         Until the new practice is audited, we cannot be certain that actual Agency practices will\n         conform with the Policy Announcement, or that successful implementation of the policy\n         will result in effective tracking of IT costs for capitalizing the full costs of internal use\n         software.\n\nAbility to Assess and Manage IT Projects Impaired\n         The absence of a project cost accounting system impaired IT managers\xe2\x80\x99 ability to\n         efficiently and reliably estimate, manage, and report IT project costs. For example,\n         system managers could not perform reliable cost-benefit analyses of technical alternatives,\n         which is useful for developing a sound system/project management plan. Likewise, IT\n         managers could not maximize the value of or perform risk-adjusted Return on Investment\n         analyses. Furthermore, neither the CIO nor Chief Financial Officer could reliably verify\n         or validate the accuracy or completeness of IT expenses reported by program offices and\n         regions. Therefore, IT investment amounts previously reported via OMB Exhibits 53 and\n         300b were at significant risk of being incomplete, inaccurate, or inconsistent with prior\n         year disclosures.\n\nEPA Asserts System Complies with Standards\n         Despite previous OIG report recommendations to implement a managerial cost\n         accounting system, the Office of the Chief Financial Officer had maintained that EPA\xe2\x80\x99s\n         financial management system met Federal accounting standards. While Statement of\n\n                                                38\n                                                                               Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n\n       Federal Financial Accounting Standard No. 10 prompted the Agency to create a\n       methodology to capture IT costs for \xe2\x80\x9cinternal use\xe2\x80\x9d software capitalization purposes,\n       EPA\xe2\x80\x99s current interim cost accounting and related management systems still cannot\n       provide managers with enough basic cost information to accomplish objectives associated\n       with planning, decision making, control, and reporting for their respective IRM program\n       activities. However, on September 24, 2002, the Office of Chief Financial Officer\n       submitted an action plan for Expanding Cost Information at EPA. We will continue to\n       monitor the Agency\xe2\x80\x99s achievements as they work with program offices to promote the\n       use of cost information in managing for results.\n\nRecommendations\n       Implementing appropriate definitions and controls will require the combined efforts of\n       several EPA program offices. We recommend the Chief Information Officer, Chief\n       Financial Officer, and Director for Acquisition Management work together to:\n\n       6-1.    Institutionalize consistent definitions of systems life cycle stages and IT costs in\n               Agency policy to be used for contracting, accounting, IT systems, project\n               management, and the capital planning investment control process.\n\n       We recommend the CIO and Chief Financial Officer work together to:\n\n       6-2.    Institutionalize in Agency policy consistent systems life cycle and IT costs\n               definitions for revising EPA Directive 2100, and the interim IT activities policy\n               guidance.\n\n       We recommend the Chief Financial Officer lead an effort to:\n\n       6-3.    Complete a needs and feasibility assessment of alternatives to determine what\n               types of project cost information and supporting documentation are needed for\n               the capital planning investment control process and managing IT projects.\n\nAgency Response\n       Responding for EPA\xe2\x80\x99s Chief Financial Officer, the Comptroller agreed in general with our\n       recommendations and pointed out that Policy Announcement 01-10, effective October 1,\n       2001, implemented IT project cost accounting, which is a new way of conducting\n       business for EPA. Both the Comptroller and the CIO did not agree with a proposed\n       recommendation to amend all current system development contracts to identify system\n       development costs by Agency system development life cycle phase. The Comptroller\n       stated that the policy already requires Project Officers, Delivery Order Project Officers,\n       and Contracting Officer\xe2\x80\x99s Technical Representatives to code project costs for projects\n       and systems under their control.\n\n\n\n                                             39\n                                                                             Report No. 2002-P-00017\n\x0c                                                 EPA Management of Information Technology\n                                                     Resources Under The Clinger-Cohen Act\n\n\nOIG Evaluation\n        Despite Agency assurances, we still have concerns about whether accurate cost\n        information will be available to permit Project Officers, Delivery Order Project Officers,\n        and Contracting Officer\xe2\x80\x99s Technical Representatives to accurately code costs for projects\n        and systems. As the Comptroller pointed out, this is a new process that only was\n        established at the end of our field work. As a result, no information was available to\n        complete a detailed evaluation of operational cost accumulation controls. We have\n        dropped our prior recommendation to amend requirements for existing software\n        development contracts until the fiscal 2002 financial statement audit evaluates the\n        adequacy of this new cost accounting process for accumulating software development\n        costs by project.\n\n\n\n\n                                            40\n                                                                          Report No. 2002-P-00017\n\x0c                                         EPA Management of Information Technology\n                                             Resources Under The Clinger-Cohen Act\n\n\n                      Appendix 1\n   Details on Scope and Methodology\n\nWe performed our audit in accordance with Government Auditing Standards, as issued\nby the Comptroller General of the United States. The audit included tests of the program\nrecords and other necessary auditing procedures. We began preliminary research on\nJanuary 16, 2001, and an in-depth review on August 21, 2001. We issued a draft report\nin April 26, 2002. We conducted this audit at EPA Headquarters in Washington, DC.\n\nAt the time of our audit, our scope was limited because the Agency could not provide a\nfinal work plan for the Information Integration Program project, also known as the\nNational Environmental Information Exchange Network project. Also, we could not\nsubstantiate how the Working Capital Fund process integrates with the IT investment\nprocess (see Scope Limitations section below).\n\nTo accomplish the audit objectives, we attended hearings on July 11, 2001, on Senate\nBill 803, and documented Testimony before the Senate Governmental Affairs Committee.\nThis bill was to address the need for a Federal CIO to manage IT investments under the\nClinger-Cohen Act. We compiled a list of public laws related to IT acquisition and\nmanagement that affected implementation of the Clinger-Cohen Act. This included the\nElectronic Government Act, the Paperwork Reduction Act, and the Federal Acquisition\nRegulation. We reviewed Congressional Reports and noted the problems Federal\nagencies were experiencing implementing the Clinger-Cohen Act. We reviewed OMB\nCirculars pertaining to implementation of the Act, and feedback provided by OMB to\nEPA concerning Agency IT budget submissions.\n\nWe reviewed the Agency\xe2\x80\x99s Enterprise Architecture dated March 29, 2001, and\nsummarized the Federal requirements for developing Enterprise Architecture documents.\nWe researched and reviewed documents issued by the Federal CIO Council relating to\nthe implementation of the Clinger-Cohen Act. EPA has actively participated in the\nCouncil\xe2\x80\x99s survey and study projects.\n\nWe reviewed EPA IRM policies related to implementation of the Clinger-Cohen Act We\nmet with Agency personnel knowledgeable of and responsible for writing IRM policies.\nAt the time of our review, EPA had established an Agency work group to address the\nneeded revision of System Development Life Cycle polices to support the requirements\nof the Clinger-Cohen Act.\n\nWe reviewed Agency delegations dealing with implementation of the Clinger-Cohen Act\nto ascertain whether appropriate authority had been delegated to the CIO by the\n\n\n\n\n                                    41\n                                                                 Report No. 2002-P-00017\n\x0c                                                   EPA Management of Information Technology\n                                                       Resources Under The Clinger-Cohen Act\n         Administrator, and whether the CIO had delegated appropriate authority to program\n         officials. We consulted with the OIG Counsel on this matter.\n\n         To gather information on the implementation of the Clinger-Cohen Act in other Federal\n         agencies and determine potential benefits that could be implemented by EPA, we\n         interviewed personnel at three other agencies: Treasury, Housing and Urban\n         Development, and Agriculture. For example, I-TIPS was a tool used by management at\n         these agencies.\n\n         We interviewed personnel responsible for implementing and managing EPA\xe2\x80\x99s CPIC\n         process, including the OEI Director; and personnel in the Office of Technology\n         Operations and Planning and its Information Technology Policy and Planning Division.\n         Division personnel interviewed included the Chief of the IT Strategic Planning Branch and\n         CPIC Team Leader. We also attended various OEI meetings related to the CPIC\n         process.\n\n         We reviewed EPA\xe2\x80\x99s IT budget submissions for fiscal years 2002 and 2003, including\n         various budget proposals. Our review included a comparison of the proposals for the 2\n         years to determine any proposed changes, the differences in budgeted and actual costs,\n         and the cost variances. We also noted whether the proposal indicated a Cost Benefit\n         Analysis and a Security Plan had been completed.\n\n         We examined various documents provided by OEI, including budget call letters,\n         instructions for preparers, the organization of the peer review, instructional material for\n         reviewers, proposal evaluation criteria, peer review scoring, ranking and comments,\n         notes, agendas, and actions of the Investment Subcommittee. We reviewed the agenda,\n         notes, and actions of the Quality Information Council.\n\n         For three IT investment projects, we reviewed the adequacy of information and\n         documentation in support of their Clinger-Cohen Act submission documents for fiscal\n         2002. This included an evaluation of the related project management controls and a\n         comparison of the information provided for fiscal 2003. We used control questionnaires\n         and follow-up interviews with IT project managers to ascertain information about project\n         management practices, as well as Agency infrastructure and architecture projects.\n\nScope Limitations\n         We could not substantiate how internal controls for EPA\xe2\x80\x99s Working Capital Fund\n         process integrate with both the IT investment process and the Enterprise Architecture,\n         despite repeated efforts to obtain relevant policy or procedural information from OEI\n         officials. The Working Capital Fund is used to fund various aspects of IT projects. We\n         were advised that responsibility for the Fund recently shifted from OEI to the Office of\n         the Chief Financial Officer. The Working Capital Fund concept is described in the\n\n\n\n                                              42\n                                                                             Report No. 2002-P-00017\n\x0c                                                  EPA Management of Information Technology\n                                                      Resources Under The Clinger-Cohen Act\n         narrative for the Agency\xe2\x80\x99s IT Architecture Roadmap, but the Roadmap does not\n         elaborate on the Fund\xe2\x80\x99s relationship to the Agency\xe2\x80\x99s IT investment process.\n\n         We attempted to audit two infrastructure project proposals: the National Centralized\n         Computing and Information Processing Initiative and the proposal for the Scalable\n         Computing and Information Infrastructure. The Agency could not provide any support\n         for the proposals, including support for why $13 million in work included in initial\n         proposals was no longer in the total costs of a subsequent proposal. Consequently, we\n         could not audit what happened with the $13 million. Following our inquiries, the Scalable\n         Computing and Information Infrastructure proposal was withdrawn from the investment\n         review process and included as part of the National Centralized Computing proposal.\n         Other projects also showed significant variability in Working Capital Fund expenditures,\n         and we could not verify the nature of these variabilities.\n\nCongressional Concern\n         One of the reasons for our conducting this review was the concern expressed by\n         Congress in a report from the U.S. Senate\xe2\x80\x99s Governmental Affairs Committee,\n         Investigative Report of Senator Fred Thompson on Federal Agency Compliance\n         with the Clinger-Cohen Act, dated October 20, 2000. The report indicated that\n         Federal agencies had not taken adequate actions to implement the Act, and noted that\n         EPA did not produce evidence of any specific mission-related review of assessments\n         based on programmatic or operational goals. EPA acknowledged shortcomings in its IT\n         investment proposals, such as milestones being too general, projects being planned and\n         managed in a stovepipe fashion, priorities not being established agency-wide, and the\n         IRM strategic plan not being updated since the implementation of the Government\n         Performance and Results Act. Further, when the Committee asked for a status report on\n         EPA\xe2\x80\x99s top 10 IT investment projects, EPA could not provide any information on the\n         status of 4 of those 10 projects. The Committee made numerous recommendations to\n         executive departments (including EPA) for making improvements.\n\nPrior Audit Coverage\n         In OIG Report No. 2001-P-00013, Water Enforcement: State Enforcement of\n         Clean Water Act Dischargers Can Be More Effective, dated August 14, 2001, we\n         reported that although the modernized Permit Compliance System was estimated to cost\n         more than $10 million in life cycle costs, the required system charter and system\n         management plan decision papers had not been prepared or approved by appropriate\n         levels of management.\n\n         In OIG Report No. 001000239, Financial Management: EPA\xe2\x80\x99s Fiscal 1998 Working\n         Capital Fund Financial Statements, dated March 29, 2000, we found internal control\n         weaknesses that would impact the overall management of Working Capital Fund\n         operations, and resulted in managers not having accurate or timely financial information\n\n\n                                             43\n                                                                           Report No. 2002-P-00017\n\x0c                                           EPA Management of Information Technology\n                                               Resources Under The Clinger-Cohen Act\non the Fund\xe2\x80\x99s operations. This Fund provides EPA with computer and\ntelecommunication services on a cost-reimbursable basis.\n\nIn OIG Report No. E1NMF3-15-0072-5100240, Management of Application\nSoftware Maintenance at EPA, dated March 31, 1995, we noted that while EPA was\ncreating the Working Capital Fund to more cost effectively administer services, it was still\nquestionable whether EPA could separate application software maintenance activity from\noperations activity. EPA did not develop, review, and update software maintenance\ncosts by individual systems throughout their life cycles, which would prevent informed\nbudget decisions from being made.\n\nIn OIG Report No. E1SKG3-15-0098-4400038, Special Review of EPA\xe2\x80\x99s\nInformation Systems Program, dated March 24, 1994, we noted that management did\nnot treat information as a strategic resource nor IRM as a core function and valuable tool.\nEPA did not have an information data architecture, data standards, or administrative\nstructure to facilitate data sharing Agency-wide, and data quality problems existed.\n\nAlso, a National Academy of Public Administration report, Transforming\nEnvironmental Protection for the 21st Century, dated November 2000, noted the\nnation needs authoritative information about environmental conditions, and discussed\nvarious steps being taken by EPA to do so. The report also emphasized that OEI had\nnot begun to draft a strategic plan to guide its activities, and had no direct authority over\nthe budget or staff that support EPA\xe2\x80\x99s systems.\n\n\n\n\n                                      44\n                                                                      Report No. 2002-P-00017\n\x0c                                                           EPA Management of Information Technology\n                                                               Resources Under The Clinger-Cohen Act\n\n\n                                       Appendix 2\n                 Office of Environmental Information\xe2\x80\x99s\n                    Response to Draft Audit Report\n\n\n                                                July 2, 2002\n\nMEMORANDUM\n\nSUBJECT:        Response to the Draft Report: EPA\xe2\x80\x99s Management of Information Technology\n                Resources Under the Clinger-Cohen Act, Audit Number 2001-0591\n\nFROM:           Kimberly T. Nelson             /s/ Rick Otis for\n                Assistant Administrator\n                 and Chief Information Officer\n\nTO:             Nikki Tinsley\n                Inspector General\n\n         This memorandum provides a response to the Office of Inspector General (OIG) findings outlined\nin the Draft Report: EPA\xe2\x80\x99s Management of Information Technology Resources Under the Clinger-\nCohen Act, Audit Number 2001-0591, dated April 26, 2002. Overall, the Office of Environmental\nInformation agrees with your emphasis on the critical importance of an effective IT resource investment\nmanagement program that 1) delivers real benefits to the Agency\xe2\x80\x99s mission and 2) properly manages the\nrisks across our enterprise portfolio. It is my intent to aggressively address the key issues raised in the\nreport and I appreciate the work of your staff in providing us with this critical input to our planning and\noperation of the Clinger Cohen CIO program. We will provide a complete action plan for improvements\nupon receipt of the final report.\n\n         There are some findings and recommendations in the draft report that my staff finds are not totally\naccurate in their characterization of the past accomplishments, current status and strategic directions of\nour program. We previously provided comments correcting some items which provided the basis for this\ndraft report, but the report does not reflect any changes for those issues. We have also made much\nprogress as an Agency during and following the audit. I would appreciate your review of our attached\ncomments. Please adjust the final version of the report to incorporate changes to the introduction,\nfindings and recommendations based on this information to ensure the final report provides the most\naccurate view of the program and where the Agency should focus attention and resources to help it\nimprove in the future.\n\n\n\n\n                                                      45\n                                                                                    Report No. 2002-P-00017\n\x0c                                                         EPA Management of Information Technology\n                                                             Resources Under The Clinger-Cohen Act\n\n\n        If you have any questions regarding this response please have your staff contact Mark Day,\nDirector of the Office of Technology, Operations and Planning at (202)566-0300.\n\nAttachments\n\ncc:    Mark Day, Director, Office of Technology Operations and Planning\n       Debra Stouffer, Chief Technology Officer\n       Kathy Petruccelli, Director, Office of Planning, Resources and Outreach\n       Mike Flynn, Deputy Director, Office of Information Analysis and Access\n       Brion Cook, Director, IT Policy and Planning Division\n       Rick Martin, Director, National Technology Services Division\n       Kevin Phelps, Associate Director, IT Policy and Planning Division\n       Barbara A. Chancey, Chief, IT Strategic Planning Branch\n       Chuck Cavanaugh, Program Lead for Investment Management\n       John Sullivan, Chief Architect\n       John Moses, Office of Information Collection\n       Joe Dillon, Comptroller\n       Juliette McNeil, Director, Financial Management Division\n       John Gherardini, OAM\n       Tom McEntegart, OAM\n       Ed Lillis, OA\n       Edward Cottrill, OW\n       Tony Jover, OSWER\n       Michael Mundel, OECA\n       Jeffrey Worthington, OEI Audit Coordinator\n       Brigid Rapp, OCFO Audit Coordinator\n       Christa Eckel, OAM Audit Coordinator\n       Greg Marion, OECA Audit Coordinator\n       Judy Hecht, OW Audit Coordinator\n       Johnsie Webster, OSWER Audit Coordinator\n       Patricia H. Hill, OIG\n       James Rothwell, OIG\n\n\n\n\n                                                    46\n                                                                                 Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n\n Draft Report: EPA\xe2\x80\x99s Management of Information Technology Resources Under\n                the Clinger-Cohen Act, Audit Number 2001-0591\nExecutive Summary\nWhile we agree with the overall goal of the report, in many cases findings do not adequately reflect status and\naccomplishments, so recommendations are not as helpful as they might be. We request adjustments to findings and\nrecommendations to focus attention more effectively on where additional effort and resources would benefit the Agency.\n\nThe following comments address statements in the Executive Summary \xe2\x80\x9cResults in Brief\xe2\x80\x9d which contains content outlined\nfrom each chapter. Additional specific comments on findings and recommendations are identified separately in relation to\nthe respective chapters.\n\n\xe2\x80\x9cSince established in 1998, EPA\xe2\x80\x99s CIO has not taken adequate actions to implement and institutionalize the Agency-wide\nauthority and responsibilities for IT capital investments\xe2\x80\x9d\n\n         EPA CIO\xe2\x80\x99s have made major advancements in ensuring Agency-wide compliance with Clinger-Cohen\n         responsibilities. EPA established the Quality Information Council (QIC), chaired by the CIO and comprised of\n         Agency senior resource management officials. The QIC formally approves IT investment decisions, and has done\n         so since Clinger-Cohen has been in place. Under CIO\xe2\x80\x99s leadership, EPA senior resource managers have engaged\n         in substantive investment reviews and direction. Their joint efforts have lead to restructuring of portfolio\n         components, as well as substantive change/improvement of specific proposals.\n\n\xe2\x80\x9cSeveral key factors continue to inhibit the realization of a successful program\xe2\x80\xa6\xe2\x80\x9d\n\n         OEI has made significant advances on each of the factors specified. Specifically the CIO has taken steps to:\n               C   establish a substantive range of new policies, procedures, and guidance on priority areas (security,\n                   investment) and is in the process of moving forward on a new comprehensive policy framework;\n               C   promulgate a new information strategic plan reflecting the Clinger-Cohen framework (in CIO review);\n               C   officially establish a chief architect and elevate the Agency profile for enterprise architecture\n                   development;\n               C   hire a Chief Technology Officer to champion Clinger-Cohen compliance within EPA\n               C   employed risk-based assessments for capital IT projects reflecting the evolving nature of OMB\n                   guidance under Clinger-Cohen;\n               C   establish new IT cost-tracking structures and requirements, and begin integrating investment and cost-\n                   tracking.\n\n\xe2\x80\x9cCIO had minimal assurance that IT investments reported to OMB would maximize their value\xe2\x80\x9d\n\n         CIO recommendations for IT investments reflected senior Agency decisions on strategic program direction and\n         value, based on then applicable Agency needs and available OMB guidance. Further, OEI continues to strengthen\n         the investment review process to maximize value, including regular investment reviews of all OEI investments to\n         review cost, schedule, and performance.\n\n\n\n\n                                                          47\n                                                                                            Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n\n\n       Executive Summary\n       Recommendations                                               OEI/OTOP Response\n\nRevise outdated policies to remove       Suggest restating to acknowledge OEI process underway since Q1/02 to:\nunauthorized IT business practices and             1. Identify, from a best practices perspective, what EPA\xe2\x80\x99s IT policy\nadd new requirements.                             collection should be (recommendations to be forwarded for CIO review\n                                                  in August, 2002);\n\n                                                  2. Catalog EPA\xe2\x80\x99s current IT policy collection (completion in August,\n                                                 2002);\n\n                                                  3. Identify the gaps between the \xe2\x80\x9cshould be\xe2\x80\x9d and \xe2\x80\x9ccurrent\xe2\x80\x9d states i.e.,\n                                                 those IT policies needing to be created, updated, or canceled\n                                                 (September 2002);\n\n                                                  4. Develop a multi-year plan for how to address the gaps and bring\n                                                 EPA\xe2\x80\x99s IT policy collection to the \xe2\x80\x9cshould be\xe2\x80\x9d state referencing\n                                                 Enterprise Architecture, CPIC, and IT acquisition processes (November,\n                                                 2002).\nFinalize the IRM Strategic Plan.         Agreed and underway. A \xe2\x80\x9cStrategic Information Plan\xe2\x80\x9d document is in CIO\n                                         review. The goals and direction put forth in this document are being\n                                         incorporated as drivers in the architecture development.\nFormally establish a Chief Architect     Please correct. On February 22, 2002, the CIO established the Enterprise\nposition with sufficient authority.      Architecture Program and named John Sullivan as Chief Architect for EPA.\nImplement an automated project           Please restate: \xe2\x80\x9cContinue efforts to implement I-TIPS\xe2\x80\x9d. OEI is implementing I-\nmanagement system (I-TIPS).              TIPS successfully and will be using it to generate OMB reports this September\n                                         for budget year 2004. EPA completed a security vulnerability assessment and\n                                         developed risk mitigation plans prior to production as required by OMB, and is\n                                         now moving forward agressively.\nImplement monitoring and evaluation      Please provide greater specificity. EPA senior management and the CIO do\nprocesses for IT investments.            monitor and evaluate IT investments, reviewing all OEI investments for cost,\n                                         schedule, and risk. Further, the CIO is taking steps to integrate investment,\n                                         enterprise architecture, system life-cycle and fiduciary management processes in\n                                         partnership with OCFO. A general statement expressing support for these efforts\n                                         would be useful.\nPostpone funding for IT projects that    The CIO and the QIC review investments prior to funding. Funding has never\nhave been identified as \xe2\x80\x9cmaterially      been recommended for an investment determined to be \xe2\x80\x9cmaterially deficient.\xe2\x80\x9d\ndeficient\xe2\x80\x9d\n\n\n\n\n                                                          48\n                                                                                        Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n                        Chapter 2 - CIO Needs to Fully Implement Clinger-Cohen Act Requirements.\n                Findings                                                        Response\n2.1 - Five years after implementation of    EPA through actions by the Administrator and the CIO has taken steps to\nthe Act, EPA\xe2\x80\x99s CIO still had not            implement critical Clinger-Cohen functions, and to direct IT resources in a\nestablished an adequate structure with      manner that will deliver increasing value to our program mission. CIO leadership\nthe policies and guidance needed to         has been highly visible in enterprise architecture, investment management,\nsufficiently implement the Act.             critical policy, and workforce development. Please amend this finding to\n                                            highlight the specific areas where the CIO and Agency leadership should direct\n                                            additional attention and resources.\n2.2 - Overall, EPA\xe2\x80\x99s program managers       Inaccurate. There is evidence that program offices do take the CCA seriously.\nare treating the Clinger-Cohen Act          Agency managers at multiple levels have actively participated in investment\nrequirements as little more than a paper    reviews. Management attention is reflected in: consolidation and elimination of\nexercise to satisfy the annual OMB          duplicate projects; the number of program offices seeking OEI\xe2\x80\x99s consultation on\nbudget call.                                preparing proposals; more refined reporting of budget numbers; linking IT\n                                            investments to GPRA goals and agency priorities. It would be helpful, if you\n                                            could expand the recommendation to identify the specific manner in which\n                                            program managers should be involved beyond the roles that they currently fulfill\n                                            (proposal preparation, approval, participation in Agency-wide portfolio\n                                            development).\n2.3 - Numerous examples demonstrated        For the past five years, criteria has been based on the OMB\xe2\x80\x99s eight Raines Rules,\nthe use of inconsistent criteria and a      plus additional Agency policy and programmatic criteria that was approved by\ngeneral lack of objective, quantitative     the QIC\xe2\x80\x99s Information Investment Subcommittee (IIS), CIO, CFO, and the QIC, as\ninvestment criteria (e.g., cost-benefit     such was both consistent and objective. This year, we plan to revisit selection\nanalysis)                                   criteria and approved revised criteria (including applying weights) through the\n                                            QIC.\n2.4 - EPA has not formally appointed a      Inaccurate, please remove. On February 22, 2002, the CIO has appointed a Chief\nChief Architect to oversee the              Architect for EPA. The Enterprise Architecture baseline, target and sequencing\ndevelopment and execution of its            approach is scheduled to be delivered to OMB on October 15, 2002.\nEnterprise Architecture Plan.\n2.5 - The fiscal 2002 budget did not        Inaccurate, please remove. For the fiscal 2002 budget, the architecture project\nidentify an architecture project.           was included as a component of integration proposals and for FY02 it was\n                                            reported separately on the Exhibit 53 - Section 3.- Architecture.\n2.6 - In 2001, EPA purchased a SLA to       Please restate. The Investment Management Team has assigned resources to I-\nuse the off-the-shelf software I-TIPS....   TIPS implementation, developed milestones for production, proceeded with\nHowever, when requested, EPA could          implementation, and will be using I-TIPS to generate automated OMB reports for\nnot provide any evidence to support         this investment cycle. Further, I-TIPS will be expanded agency-wide in 2003.\nthat they were assigning resources or\nproviding milestones for implementing\nthe software.\n\n\n\n\n                                                           49\n                                                                                             Report No. 2002-P-00017\n\x0c                                                                 EPA Management of Information Technology\n                                                                     Resources Under The Clinger-Cohen Act\n\n                        Chapter 2 - CIO Needs to Fully Implement Clinger-Cohen Act Requirements.\n                Findings                                                         Response\n2.7 - In addition, the following effects     Please restate to acknowledge the following:\nare likely to occur: 1) IT investments\nwill no be driven by business priorities     All IT investments in the CPIC process are linked to the Agency\xe2\x80\x99s strategic\nand mission goals; 2) Stovepipe              goals. Significant reductions in stovepipe systems have been made through\nsystems will continue to operate; 3)         consolidation and / or modernization to align these systems to the architecture.\nEPA will continue to invest in duplicate     Duplicate systems have been identified through the CPIC process by the\nIT system; 4) IT investments will not        technical and executive management review. Proposals (e.g., Records and\ntake advantage of technology                 Document Management, and GEO and GIS) were combined last fiscal year to\nadvances and reduced costs; 5)               reduce redundancies and maximize efficiencies. For the past four years, data\nreporting processes will not be made         standards questions have been required, evaluation criteria has been\nefficient for states and private industry;   established, and a data standards team has reviewed proposals to ensure that\n6) application systems will not comply       programs are complying with data standard requirements.\nwith environmental data and\ninteroperability standards; and 7)           Over the next couple years, Central Data Exchange (CDX) will be implemented.\nincreased public access and security         As CDX grows and gains wider acceptance, it will reduce the reporting burden\nrequirements will not be met.                on the states and private industry. Also, as the National Environmental\n                                             Information Network is being constructed with input from the states and\n                                             industry. The new network will greatly enhance the reporting and information\n                                             exchange between the states, industry, tribes and the agency.\n2.8 - During recent years, the CIO           Please restate to acknowledge those very issues targeted and addressed during\nshould have used an IT investment            the CPIC process. For example, the GEO investment was stopped from receiving\ncontrol process to solve key Agency-         operating plan funds in FY01 due to CPIC process findings. Also, duplicate\nwide problems such as integration of         systems were identified and requested to coordinate development strategies and\nenvironmental data, electronic               present before the IIS.\nreporting,, duplicate systems,\nGeospatial Information, and data\nmanagement.\n           Recommendations                                                       Response\n2.1 - Assign sufficient resources and        Agreed. Request for an increase in resources (extramural, FTE) has been\nexpertise to ensure timely and effective     submitted for the FY03 and FY04 budgeting years.\nimplementation of report\nrecommendations; and use objective,          From the inception of this process under Clinger-Cohen, management reviews\nrisk-based criteria to decide whether        have been risk-based. The initial method referenced the \xe2\x80\x9cRaines rules\xe2\x80\x9d following\nproposed and ongoing IT investments          the approach which was then applicable on a government-wide basis.\nwill help resolve key Agency-wide            In the FY 02 CPIC process, the technical review team is using objective, risk-\nproblems and advance EPA\xe2\x80\x99s IRM               based criteria by identifying weaknesses and working with program offices in\nvision.                                      producing strong business cases, cost/benefit analysis, results-oriented\n                                             performance measures, cost and schedules, and presenting proposal evaluation\n                                             results to the QIC/Information Investment Subcommittee in a portfolio\n                                             management enterprise perspective. Increased resources would enable more\n                                             frequent investment reviews.\n\n\n\n\n                                                            50\n                                                                                             Report No. 2002-P-00017\n\x0c                                                              EPA Management of Information Technology\n                                                                  Resources Under The Clinger-Cohen Act\n\n                      Chapter 2 - CIO Needs to Fully Implement Clinger-Cohen Act Requirements.\n               Findings                                                         Response\n2.2 - Revise EPA Directive 2100 and       Please restate to acknowledge that OEI has had a process underway since Q1/02,\nrelated guidance to remove outdated       anticipated for completion in Q2/03. The process is to:\nand unauthorized IT business                        1. Identify, from a best practices perspective, what EPA\xe2\x80\x99s IT policy\npractices. Incorporate appropriate                 collection should be (recommendations to be forwarded for CIO review\npolicies and procedures for the                    in August, 2002);\nEnterprise Architecture, CPIC process,\nand IT acquisitions addressed in the               2. Catalog EPA\xe2\x80\x99s current IT policy collection (completion in August,\nClinger-Cohen Act, OMB guidance,                   2002);\nand EPA Delegation 1-84.\n                                                    3. Identify the gaps between the \xe2\x80\x9cshould be\xe2\x80\x9d and \xe2\x80\x9ccurrent\xe2\x80\x9d states i.e.,\n                                                   those IT policies needing to be created, updated, or canceled\n                                                   (September 2002);\n\n                                                   4. Develop a multi-year plan for how to address the gaps and bring\n                                                   EPA\xe2\x80\x99s IT policy collection to the \xe2\x80\x9cshould be\xe2\x80\x9d state referencing\n                                                   Enterprise Architecture, CPIC, and IT acquisition processes (November,\n                                                   2002).\n2.3 - Work with the Director for          Please restate to acknowledge that OEI (and previously OIRM) has historically\nAcquisition Management to (a) direct      worked with OARM to ensure appropriate review/concurrence for IT\ncontracting officers and other            acquisitions. The CIO has initiated the establishment of delegations under the\nprocurement personnel to only accept      Clinger-Cohen framework to ensure all IT procurements have formal management\nprocurement requests with a formal CIO    official approval (either CIO or someone with formal authority delegated by the\napproval or officially re-delegated       CIO) before consideration by procurement personnel.\nprocurement authority; and (b)\nestablish interim delegations, policies\nand procedures for IT procurement,\nuntil formal redelegations are revised\nand implemented.\n                      Chapter 3 - Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk\n               Findings                                                         Response\n3.1 - However, EPA\xe2\x80\x99s CPIC process         Please restate. EPA\xe2\x80\x99s CPIC process has incorporated the Control phase since its\ndoes not monitor each project\xe2\x80\x99s           inception. The evaluation phase is currently being implemented. Refer to\nexecution during a Control phase nor      Report on Management Options for Implementing the Evaluation Phase of IT\nevaluate the adequacy of completed        Capital Planning and Control, dated January 7, 200l and white paper entitled\nprojects in an Evaluation phase, as       Implementing the Select/Control/Evaluate Phases of Review, dated April 12,\nrecommended in Figure 2.                  2001. To be helpful, please identify, in the final report, specific aspects of control\n                                          / evaluate phases which OIG believes require further attention.\n\n\n\n\n                                                         51\n                                                                                             Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n                      Chapter 3 - Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk\n               Findings                                                         Response\n3.2 - The peer review risk assessment      This finding is inaccurate as stated. The CPIC process has four levels of\nwas the only substantive process used      qualitative reviews: 1) staff level - a thorough review of proposal format and\nto control IT investments, and we          content is conducted; 2) technical peer review - evaluation criteria based on the\nfound no evidence of a quality             Raines Rules is applied and proposals are evaluated based on technical merit,\nassurance process to ensure                then grouped and ranked; and 3) IIS - executive management level review to\ninvestment proposals were accurate.        address funding and policy issues, grouped and ranked red, yellow or green.\n                                           4)QIC review.\n3.3 - Agency management planning and       This finding is inaccurate as stated. The FY 2002 recommendations were based\nbudgeting recommendations for fiscal       on the technical peer review analysis and the discussions and deliberations of\n2002 were based on IIS opinion, rather     the IIS. The IIS depends heavily on the technical review results.\nthan objective peer review risk\nevaluations.\n3.4 - Table: EPA Major Investment          The percentages in these findings do not match reports and OMB statements\nProposals, Key Project Risk Factors        given by EPA and OMB. It would be helpful if the OIG presents the document\n(Fiscal 2002)                              which states \xe2\x80\x9cOMB Assessment\xe2\x80\x9d amounts.\n\n                                           Please also include the statement from OMB \xe2\x80\x9cWe think a great deal of BCA has\n                                           been performed on the majority of the portfolio.\xe2\x80\x9d\n3.5 - Nevertheless, the IIS                This finding is misleading and should be restated or removed. Projects were\nrecommended to the Quality &               recommended for funding only after substantial corrective actions were taken to\nInformation Council and the CIO that all   make the business case, and a fourth review of the project proposal was\n48 projects be recommended for             conducted. Five projects were required to address the IIS to explain and defend\nfunding in the fiscal 2002 budget          their business cases.\nsubmission.\n3.6 - Major projects were found to have    This is inaccurate. In 2002, the IIS red-lighted five projects, initially not flagged\nmaterial deficiencies by the peer review   by the technical peer review team. These projects were required to go before the\nprocess, yet the IIS recommended to        IIS for further scrutiny and extensive review of the project\xe2\x80\x99s business case\nfund these projects in fiscal 2002. In     occurred.\nfiscal 2003, the peer review process\nonce again stated these projects           The finding should also state that for 2003, following extensive project/portfolio\ncontained significant weaknesses, but      revisions per senior management direction, OMB subsequently found\nIIS still recommended them for funding.    deficiencies to the business case for only 2 of 48 proposals, which they then\n                                           accepted after minor revisions.\n3.8 - Paragraph on CIO Needs to            The process is formalized, so please restate. For the past five years EPA has\nFormalize and Institutionalize a CPIC      been conducting a Capital Planning and Investment Control process (CPIC),\nProcess - The CIO has yet to establish     which includes a Select and Control phase, appropriate guidance, training,\npolicies and guidance, and implement       evaluation criteria based from the Raines Rules, a formal technical review process\nkey Clinger-Cohen Act requirements by      and executive management review to evaluate proposals.\nformalizing the CPIC process in Agency\nDirective 2100.                            In June 2002, a final CPIC policy was issued, formalizing the process in Agency\n                                           Directives.\n\n\n\n\n                                                          52\n                                                                                              Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n                       Chapter 3 - Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk\n                Findings                                                        Response\n3.9 - Implementing the Federally            Please restate. There are two separate issues - implementation of I-TIPS and a\nsponsored I-TIPS software, an               structured CPIC process.\nautomated investment control and\nreporting system, would provide EPA         OEI is implementing I-TIPS and will be using it to generate OMB reports for this\nwith a valuable tool for monitoring and     cycle. OIG should also note that EPA\xe2\x80\x99s schedule for I-TIPS implementation\nmanaging its IT investment portfolio.       reflects the fact that I-TIPS does not conform to the Agency\xe2\x80\x99s existing technical\nWhile EPA has been using a peer             architecture and employs web-based functions with security vulnerabilities\nreview process to evaluate risks,           which required careful risk assessment and mitigation plans, prior to production.\nmanagement has not employed a               OEI has developed methods to address vulnerabilities and is moving forward.\nstructured CPIC process to maximize\nthe value of investments and manage         From a process perspective, EPA has consistently followed a highly structured\nthe risks of IT acquisition projects.       approach involving project and program managers at key decision points. The\n                                            process continues to evolve and next year will integrate enterprise architecture\n                                            with investment to provide further structure to the process of establishing\n                                            management priorities and decision making.\n\n                                            If OIG believes additional structure is required, specific recommendations would\n                                            be helpful.\n\n\n                       Chapter 3 - Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk\n           Recommendations                                                      Response\n3.2 - Formally establish objective, risk-   Please restate. EPA has in fact employed specific evaluation criteria for review of\nbased criteria for the IIS to use in        CPIC proposals for past CPIC cycles. The evaluation criteria was released as part\nselecting and funding all IT                the annual Exhibit 300 data call so that preparers and reviewers were aware of the\ninvestments (e.g. Chart of EPA System       criteria each proposal would be evaluated against.\nDevelopment Risk Factors). Based on\nthe criteria, management should not         Also, the IIS will be given a technical peer review summary of each of the\nfund proposals or projects that classify    proposals prepared in accordance with the evaluation criteria and with that\nas high risks.                              information will be following the OMB scoring guidelines provided in this year\xe2\x80\x99s\n                                            A-11 guidance. As part of the Strategic Direction for Investment Management,\n                                            the IIS plans to identify business and architectural criteria for investments,\n                                            Q1/03.\n\n                                            With this established, the Agency will be able to make even more thorough,\n                                            objective, risk-based evaluations of all proposals than in the past. Additional\n                                            specific suggestions from OIG on how to further enhance criteria would be\n                                            welcome.\n\n\n\n\n                                                           53\n                                                                                             Report No. 2002-P-00017\n\x0c                                                                 EPA Management of Information Technology\n                                                                     Resources Under The Clinger-Cohen Act\n\n                       Chapter 3 - Weaknesses in CPIC Process Place EPA\xe2\x80\x99s IT Investments at Risk\n           Recommendations                                                       Response\n3.3 - Postpone funding for current IT        Agreed. However, no \xe2\x80\x9cmaterially deficient\xe2\x80\x9d project has been recommended for\nprojects identified by the Peer Review       investment by the CIO. The Agency\xe2\x80\x99s Information Investment Subcommittee is\nprocess as materially deficient or high      responsible for recommending funding to the CIO regarding major IT\nrisk for 2 consecutive years, until          investments. Those projects identified in the Technical Peer Review process as\ncritical deficiencies are resolved and the   deficient are afforded the opportunity to make revisions to their proposals prior\nresolution steps adequately                  to the Subcommittee\xe2\x80\x99s review and, time permitting prior to the QIC\xe2\x80\x99s review.\ndocumented.                                  Forty-eight proposals submitted for funding last year to OMB were approved.\n\n                                             For example, in FY01, the IIS advised the Acting CIO to charge a task force to\n                                             develop a strategic direction and architecture for electronic records, dockets, and\n                                             document management applications. The IIS made a recommendation to\n                                             suspend funding for seven systems. The Acting CIO followed through on that\n                                             recommendation (memo from Margaret Schneider, dated October 12, 2001,\n                                             Management Task Force for Agency Document Management Systems,\n                                             \xe2\x80\x9c...suspend spending for design and development work for all new and existing\n                                             document management systems.\xe2\x80\x9d)\n3.4 - Direct the Information Investment      Agreed. As part of ITPPD\xe2\x80\x99s Investment Management strategic planning efforts,\nSubcommittee to monitor the execution        and in conjunction with the use of I-TIPS, it is OEI\xe2\x80\x99s vision to evolve the\nof IT projects during the fiscal year (at    Agency\xe2\x80\x99s capital planning process to do a continuos update and review process\nleast quarterly) to identify emerging        in the next two years. This continuos process will involve Program Offices\ncost or schedule problems and initiate       updating their business cases as their systems develop (i.e. moving from\ncorrective actions.                          different life cycle or CPIC phases). Rather than relying on annual data calls for\n                                             updates, this will allow the Program Office management, the Subcommittee, the\n                                             QIC and the CIO\xe2\x80\x99s office access to the most current information possible, thus\n                                             providing them the ability to address cost or performance issues as they are\n                                             identified, not just once a year.\n3.5 - Initiate a formal process with         Agreed. As ITPPD prepares its Strategic Planning for IT Investment\nwritten evaluations of ongoing,              Management, one of the areas being examined is the formalization of processes\ncompleted, and terminated information        and evaluations in all phases of the CPIC process, including the possible\ntechnology projects to evaluate              inclusion of Pre-Select and Steady State phases to provide management with on-\nwhether the projects or systems are          going evaluation monitoring.\nsuccessfully delivering promised\nbenefits at an acceptable cost.\n3.6 - Implement an automated project         This recommendation should clearly define the difference between a portfolio\nmanagement system (e.g., I-TIPS) to          management system and a project tracking system - I-TIPS is a portfolio\nprovide timely, reliable information for     management system, not a project management system.\ninvestment decisions.\n                                             ITPPD is currently piloting the use of I-TIPS in EPA. ITPPD plans to populate\n                                             Exhibit 300 data in I-TIPS and submit electrically to OMB (09/02). Additionally,\n                                             ITPPD plans to develop an Agency-wide deployment strategy for I-TIPS in\n                                             Q1/03 for FY 03-04 implementation.\n\n\n\n\n                                                            54\n                                                                                              Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n\n\n\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n                Findings                                                        Response\n4.1 - During 2001, EPA completed many       This is incorrect. The Agency\xe2\x80\x99s Enterprise Architecture is posted on the EPA\nactions towards establishing a baseline     Intranet and program offices were notified of its availability. The Office of\nenterprise architecture for IT planning     Administration and Resources Management (OARM) was notified that the\npurposes. In April, EPA provided            architecture had been published.\nOMB with documentation of EPA\xe2\x80\x99s\nfirst Enterprise Architecture, dated\nMarch 29, 2001. However, by October,\nneither the Agency\xe2\x80\x99s IT Contracting\nOfficer nor the Procurement Office had\nbeen provided a copy of the proposed\nEnterprise Architecture.\n4.2 - Moreover, the document was not        Please restate. This finding does not accurately reflect that appropriate guidance\nprovided timely to the EPA program          was provided from the EA Team to proposal preparers on developing their 2003 /\noffices for use in developing IT            2004 investments. The EA Team also worked one-on-one with program offices\ninvestment proposals for the fiscal 2003    requesting assistance. The current enterprise architecture being developed will\nbudget submission.                          contain a baseline, target and sequencing approach, which will assist preparer in\n                                            the 2005 exercise.\n4.3 - Also, OMB reviewed the                Please acknowledge that the workgroup has updated the business processes and\nAgency\xe2\x80\x99s fiscal 2001 IT Investment          these processes will be aligned with the new OMB Business Reference Model.\nPortfolio and noted that they could not\nmatch the projects in the proposed\nEnterprise Architecture to the portfolio.\nIn August 2001, OEI established a\nworkgroup to identify and verify EPA\xe2\x80\x99s\nbusiness processes for the Enterprise\nArchitecture baseline. The work\ngroup\xe2\x80\x99s efforts occurred after\ncompletion of our field work; as such,\nwe do not know fully what they have\naccomplished.\n4.4 - EPA\xe2\x80\x99s outdated IRM Strategic          Please restate to acknowledge that a \xe2\x80\x9cStrategic Information Plan\xe2\x80\x9d document is in\nPlan has contributed to the delay in        CIO review. The goals and direction put forth in this document are being\nimplementing the Enterprise                 incorporated as drivers in the target architecture development.\nArchitecture concept. In May 2001,\nEPA established an agency-wide work\ngroup to update the IRM Strategic\nPlan. The work group provided the\ndraft plan to OEI\xe2\x80\x99s Quality Information\nCouncil, but it has yet to be finalized.\n\n\n                                                           55\n                                                                                            Report No. 2002-P-00017\n\x0c                                                                 EPA Management of Information Technology\n                                                                     Resources Under The Clinger-Cohen Act\n\n                        Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n                Findings                                                        Response\n4.5 - As of the end of field work, EPA       Agreed, however we have made progress, and plan to acquire QIC approval of\nhad yet to fully baseline and validate       the EA. Formal validation of baseline program components by the CIO and\nthe Agency\xe2\x80\x99s business processes              senior program managers, via the QIC, is occurring this year per the management\nessential for establishing a portfolio for   plan for build-out of the enterprise architecture.\nfuture IT investments. EPA\xe2\x80\x99s draft\nEnterprise Architecture document\nincluded very high-level business\nprocesses; however, these processes\nhad yet to be validated by the\nresponsible program offices. We were\ninformed that some of these business\nprocesses have been revised, but were\nunable to substantiate whether the\napplicable program offices formally\nendorsed the work group\xe2\x80\x99s\nconclusions.\n4.6 - Therefore, the physical and            Inaccurate. The Security Architecture does address the physical, facility and\npersonnel security requirements of           personnel security issues.\nthese servers need to be added into the\nbaseline security architecture.\n4.7 - As depicted in Figure 3, the           This finding is inaccurate. Data standards and critical data are both integral\nEnterprise Architecture conceptual           aspects of EPA\xe2\x80\x99s enterprise architecture. The model specifically references data\nframework should consist of five             standards, and will address program-specific data needs across several\ncomponents. As such, the Enterprise          dimensions.\nArchitecture should define mission-\ncritical data needs to properly support\nthe IT investment process. However,\nEPA\xe2\x80\x99s current Enterprise Architecture\ndoes not adequately address (1) EPA\xe2\x80\x99s\nexisting data standards and related\nmetadata baseline information, and (2)\nother critical data used by stakeholders\nand programs business processes.\n\n4.8 - We had recommended that EPA            This finding is outdated and should be removed. The Enterprise Architecture\nsupport its data standards program by        does support data standards and the EDR. The document being prepared for\nusing the Environmental Data Registry        OMB will clearly outline this architectural component.\nas a central repository for publishing\nand recording data standards. EPA has\nyet to do so, and the draft Enterprise\nArchitecture does not adequately\ndescribe the registry as a critical\ncomponent of its target architecture.\n\n                                                            56\n                                                                                             Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n                Findings                                                        Response\n4.9 - Complete Inventory of Systems         The Enterprise Architecture will gather more information this year on internal\nNeeded for Enterprise Architecture ...      system interfaces and partner interfaces within the framework of the National\nwe found that the Enterprise                Environmental Information Network (NEIN). The target architecture and\nArchitecture document does not              sequencing plan will also take into account the impact of external federal Agency\ninclude sufficient information on           interfaces and E-gov directions.\nAgency application interfaces. The\ndocument states the CIO plans to\ngather and document this information\nas part of the Agency\xe2\x80\x99s ongoing\napplication inventory initiative,\nincluding documentation regarding\nmajor interfaces with applications\noutside of the Agency.\n4.10 - Our review showed that the           This finding does not provide relevant or helpful direction. Normally, this level\nEnterprise Architecture document did        of detail is not in an Enterprise Architecture document. Transaction response\nnot explicitly identify minimum             requirements for critical data streams will be considered as a factor in the\nresponse times for key transaction-         development of the technical architecture, which must be scaled and engineered\nbased systems and for business              to support such needs.\napplication systems on the Agency\xe2\x80\x99s\nwide area network.\n4.11 - We believe the VPN concept is        OEI agrees with the importance of secure external communications. This year\nneeded today to help the Agency             OEI is taking the critical steps to establish secure external partner levels of\ncomply with existing Federal                access with implementation planned to start next year and full operations to be\ntelecommuting statutory requirements        available on an enterprise basis in 2004 (pending continued availability of\nand to satisfy current business needs.      resources).\n4.12 - Also, EPA needs to define the        This recommendation is outdated and should be refined. On February 22, 2002,\nrole and authority of its Chief Architect   the CIO via electronic email, established the Enterprise Architecture Program and\nfor IRM. The role of this Chief             named John Sullivan as Chief Architect for EPA. If additional authority is\nArchitect is to oversee development         needed in the view of OIG, specific deficiencies should be noted.\nand coordination of the Enterprise\nArchitecture with other planning\nelements that should materially shape\nand drive the IT planning structure.\nThe CIO named an individual to this\nrole in February 2002 (via electronic\nmail), but there has been no formal\ndefinition of the position\xe2\x80\x99s scope and\nresponsibilities, nor any official\ndelegation of authority.\n\n\n\n\n                                                           57\n                                                                                             Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n                      Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n               Findings                                                         Response\n4.13 - To EPA\xe2\x80\x99s credit, management         This finding should be rephrased. The functional areas identified in the\nestablished a central Enterprise           recommendation are all included within the strategic activities underway this year\nArchitecture workgroup in August           and planned for next year. Please restate the recommendation to acknowledge\n2001. However, no permanent central        the importance of the ongoing efforts being made to address these needs.\norganization has been established or\nassigned resources to coordinate,\ndevelop, and maintain the Enterprise\nArchitecture. Agency-wide Enterprise\nArchitecture components need to be\naddressed and maintained for the\nfollowing functional areas: the\nidentification of EPA\xe2\x80\x99s major and\nsignificant systems; defining the\nsecurity architecture; validating the\nbusiness processes with program\noffices; developing the Middleware\narchitecture and defining baseline\ntelecommunication requirements;\ndefining Working Capital Fund capital\ninvestments; and approving individual\nIT project management plans for major\nprojects or systems.\n4.14 - In its fiscal 2003 budget           This finding is inaccurate and does not accurately reflect the continuity of\nsubmission, EPA identified the             results and the connection of that project with the Enterprise Architecture\nInformation Integration Program as its     program. The products from the Information Integration Program are the basis\nonly major architectural project for       for the target architecture of the environmental business area. Please restate this\nderiving and completing an enterprise      finding to acknowledge the intent and proposed products of the Information\narchitecture. As critical as the project   Integration Program.\nis to EPA\xe2\x80\x99s Enterprise Architecture\ndevelopment efforts, no final\nmanagement work plan has been\nimplemented for this project since the\ndraft was issued in December 2000. A\nfinal work plan is essential to ensuring\nthe timely success of the individual\nprogram, as well as the overall quality\nof the Enterprise Architecture Plan and\nthe Agency\xe2\x80\x99s future technology\ninvestments. Although EPA views the\nprogram as key to improving the overall\nintegration of environmental\ninformation, this project does not\nreport to the Chief Architect.\n\n                                                          58\n                                                                                            Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n               Findings                                                        Response\n4.15 - The Chief Architect provided        We agree that clear roles and responsibilities are essential in defining the\ninformation that indicates EPA\xe2\x80\x99s           Enterprise Architecture. We have taken the necessary steps to ensure\nprogram and regional offices will be       participants are clearly aware of their respective roles and responsibilities. The\nasked to co-develop the Agency\'s           Chief Architect and the Enterprise Architecture team are working with program\nbaseline and target elements for the       and regional representatives at the staff level to develop requirements and\nenterprise architecture. With OEI\'s        validate Agency-wide perspectives. At the same time, the Chief Architect is\nleadership and facilitation, the program   preparing explicit guidance, including senior management roles, to formally\nand regional offices will conduct their    record roles and responsibilities of program and regional offices for the\nown architectural needs analysis, and      architecture. This framework for Enterprise Architecture policy and practice will\nrealign their respective systems with      be reviewed by the CIO and senior managers at a forthcoming QIC meeting in\nEPA\xe2\x80\x99s evolving target. We were             July, per the schedule presented to the QIC on 6/26/2002.\nunable to substantiate how this will be\naccomplished. The participants will\nneed a clear understanding of their\nroles and responsibilities, as well as\ntheir respective business processes, if\nthey are to play a significant role in\nhelping define the enterprise\narchitecture.\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n          Recommendations                                                      Response\n4.1 - As the number one priority, we       This recommendation should be rephrased to acknowledge the efforts underway\nrecommend that the Chief Information       to plan, manage, monitor and control the development and implementation of the\nOfficer formally establish:                Enterprise Architecture.\n (a)      an Enterprise Architecture\n         program to plan, manage,          The Chief Architect, through direct and ongoing consultation with the CIO, has\n         monitor, and control the          been directing and coordinating the Agency\xe2\x80\x99s efforts to create an architecture\n         development and maintenance       and architecture program. The Chief Architect is working with the CIO and Chief\n         of the plan.                      Technology Officer (CTO) to promulgate an Agency-wide framework for\n(b)      the Chief Architect position      managing the establishment and implementation of the Enterprise Architecture.\n         by clearly defining the role,     This framework will be a major focus for senior executive discussion and decision\n         responsibility and authority of   at the July meeting of the QIC.\n         the job. The position should\n         ensure a system of                We would appreciate any subsequent OIG recommendations that focus on\n         accountability for the overall    additional steps required to support this effort.\n         architectural effort. This\n         would include coordinating\n         and overseeing resources for\n         IRM strategic planning and\n         the Information Integration\n         Program, and reporting\n         directly to the CIO.\n\n\n                                                          59\n                                                                                            Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n           Recommendations                                                      Response\n4.2 - Under the leadership of the Chief     The Chief Architect and the Architecture Team are responsible for creating,\nArchitect, update and maintain the          updating and maintaining the Agency\xe2\x80\x99s architecture. As part of creating the\nAgency IRM Strategic Plan to support        architecture, the Chief Architecture must coordinate and participate in the\nEPA\xe2\x80\x99s Strategic Plan, its Government        strategic planning process, GPRA and other efforts. OEI is producing a\nPerformance and Results Act                 \xe2\x80\x9cStrategic Information Plan\xe2\x80\x9d under direction of the OEI - Office of Information\nrequirements, and the Enterprise            Collection (OIC). This Plan will be used as a driver for the EA development.\nArchitecture.\n4.3 - Identify current major and            EPA agrees with this recommendation. The Enterprise Architecture will\nsignificant general and application         incorporate all systems (major and significant as defined in the CPIC) and others\nsystems to establish an accurate            into the Information Resources Registry System - which will serve as the Agency\ninventory of such systems and               Applications Inventory. The IRRS is scheduled to be operational by the end\nintegrate this information with both the    FY02. A linkage between the IRRS and the EA repository is planned. All\nAgency\xe2\x80\x99s Enterprise Architecture            application systems within the purview of CPIC review are included in the\napplication component and the IT CPIC       baseline applications architecture.\nPortfolio.\n4.4 - Develop a master project plan for     EPA agrees with this recommendation. The Enterprise Team has an overall\ncompletion of all parts of the Enterprise   management plan and project plan that contains the detail tasks and subtasks to\nArchitecture, including a breakdown of      develop the Enterprise Architecture. Additionally, the Team is in the process of\nthe tasks and subtasks needed to            identifying a change management process for updates to the Agency\xe2\x80\x99s\nacquire, develop, and maintain the          architecture.\nEnterprise Architecture.\n4.5 - Establish an information              Please restate this recommendation to reflect efforts already underway. OEI has\nrepository, require the use of a data       established an EA repository in which the Agency\xe2\x80\x99s business, data,\nregistry for Agency maintained data,        applications, and technologies are mapped and interlinked. As part of the CPIC\nmap EPA\xe2\x80\x99s data and information              process, programs will be required to ensure their systems are represented in the\nresources, and adopt life-cycle data        EA repository and applications inventory. The Enterprise Architecture Team is\nmanagement principles for the               coordinating efforts with the ITPPD\xe2\x80\x99s efforts to update the Agency\xe2\x80\x99s life-cycle\nEnterprise Architecture data and            principles currently being developed to produce a \xe2\x80\x9ccook book\xe2\x80\x9d on systems\nsystems components.                         development that will align the Systems Lifecycle policy, the CPIC Process and\n                                            the Enterprise Architecture.\n4. 6 - Use a top management                 EPA agrees with this recommendation. The Enterprise Architecture is presented\nverification, validation, and approval      to the Quality Information Council for recommendation to the CIO for approval.\nprocess to ensure program business          An EA change management and configuration control process is being\nprocesses and goals are accurately          developed to formalize the process of updating the architecture. The Chief\nreflected and incorporated into the         Architect is preparing explicit guidance, including senior management roles, to\nEnterprise Architecture. Subsequently,      formally record roles and responsibilities of program and regional offices for the\nformalize the process as a discipline for   architecture. This framework for Enterprise Architecture policy and practice will\nupdating the Enterprise Architecture        be reviewed by the CIO and senior managers at a forthcoming QIC meeting in\ndocument.                                   July, per the schedule presented to the QIC on 6/26/2002.\n\n\n\n\n                                                           60\n                                                                                             Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n                       Chapter 4 - EPA Needs to Organize and Integrate Planning for IT Investments\n           Recommendations                                                      Response\n4.7 - Coordinate the Enterprise            EPA agrees with this recommendation. In addition to formal promulgation of\nArchitecture document with the             acquisition authority and delegations by the CIO, once the EA version 1.0 is\nAgency\xe2\x80\x99s Office of Acquisition             approved by the CIO, the EA team will work with OAM to broaden the current\nManagement for future IT acquisitions.     contracting clauses to ensure compliance with the EA.\nJointly develop an approval process\nthat ensures the Enterprise\nArchitecture concept is incorporated in\nIT contract activities for large and\nsignificant IT projects.\n4.8 - Develop a Middleware                 Please rephrase this recommendation. As part of the Target Architecture\nArchitecture as part of the Enterprise     (Q4/02), the data warehouse methodology and platforms will be determined. The\nArchitecture technology component to:      detailed design of the warehouse (whether it is virtual or physical) will be\ndefine the components that interface       contained in the Technical Reference Model, which is being developed as part of\namong the client and server systems;       the EA. OIG recommendations should be cautious when making specific\nimprove the overall usability of the       technical references (e.g. linking client-server systems with the repository) as the\ndistributed architecture; and integrate    target technical architecture is likely to move the Agency towards new models.\nthe information repository with the\nclient-server systems.\n4.9 - Establish a comprehensive and        OEI agrees with the importance of this recommendation and its importance for\nexplicitly defined set of baseline         the technical architecture. Telecommunications requirements to support a\ntelecommunications requirements to         scalable, reliable, and secure network infrastructure, bandwidth capacity, and\nsupport a scalable, reliable, and secure   additional network capacity are essential components of the Technology\nnetwork infrastructure for the             Architecture Segment. OEI is working with OCFO and senior agency managers\nEnterprise Architecture technology         to define a fiduciary and technical management strategy that will address current\ncomponent. Also, address existing          technical architecture shortfalls and provide more effective methods to maintain\nbandwidth shortages and provide for        the technology in the future.\nadditional network capacity to support\ncurrent business needs and take\nadvantage of technology advances.\n\n\nChapter 5 - EPA Needs to Strengthen IT Project Management Criteria\n                Findings                                                        Response\n5.1 - Paragraph on No Reliance or Value    Please discard this finding, it is inaccurate. Over the past five years of the CPIC\nPlaced on EPA\xe2\x80\x99s IT CPIC Process            process, the Investment Management Team has worked with over 50 different\n                                           program mangers at one time or another. We have received positive comments\n                                           from program managers that the process has forced them to rethink their\n                                           investments and to pay closer attention to costs, schedule, and milestones. EPA\n                                           does acknowledge and place value on the need for the IT CPIC process.\n\n\n\n\n                                                          61\n                                                                                             Report No. 2002-P-00017\n\x0c                                                              EPA Management of Information Technology\n                                                                  Resources Under The Clinger-Cohen Act\n\n5.2 - EPA had not adopted standard        Please revise this statement, it is inaccurate. First, with the development of the\ntools to help managers plan, control,     CFO Comptroller Policy Announcement 01-10 and the IT Cost Tracking system,\nand evaluate IT investment projects       program offices are required to track project costs. Secondly, as program offices\nand track project costs, schedules, and   implement this requirement, it clearly complements and links to project planning\nresources.                                and work plan development.\n5.3 - The absence of key decision         Please restate this finding to acknowledge efforts of the senior management and\ndocuments and senior management           decision making body of the QIC. The QIC, referencing recorded\napproval increase the risk that funded    recommendations from the IIS, formally acts on each IT investment. Formal\nIT projects will evolve in an             meeting notes are taken at each subcommittee meeting, reviewed and approved\nunstructured, untimely, and costly        by the co-chairs, and starting in January 2002, co-chairs signed the meeting\nmanner.                                   notes before being distributed to subcommittee members.\n\n\n                          Chapter 5 - EPA Needs to Strengthen IT Project Management Criteria\n          Recommendations                                                     Response\n5.1 - We recommend the Chief              EPA agrees with this recommendation. As OEI prepares its Strategic Planning for\nInformation Officer monitor IT            IT Investment Management, one of the areas being examined is the formalization\ninvestments to ensure that SMPs are       of processes and evaluations in all phases of the CPIC process, including the\nprepared in accordance with Agency        possible inclusion of a Pre-Select phase. The Pre-Select phase will allow the\nrequirements, and that they               Agency to ensure that all proposed systems in the system lifecycle planning\nappropriately link to the respective      process are aligned with Agency requirements on enterprise architecture,\nClinger-Cohen Act submission              security, etc. This Pre-Select phase will allow EPA to ensure compliance with\ndocuments the Enterprise Architecture     Systems Lifecycle Policy in advance of a system entering the Select Phase.\nand other planning documents.\n5.2 - We recommend the Chief              Please rephrase this recommendation to accurately reflect the current process in\nInformation Officer re-evaluate funding   place. Systems without sufficient justification to cost and schedule variances\nfor IT investments that do not provide    greater than 10% are not recommended for funding. As part of the Exhibit 300\nsufficient written justifications for     submission, OMB is requiring that all major systems provide a breakdown of\nprojects exceeding budgeted costs or      costs and schedule performance from their original baseline. The Chief\nproject milestone schedules by more       Information Officer does not recommend investments for projects with\nthan 10 percent.                          insufficient justification or those with excessive cost and schedule variances.\n5.3 - We recommend the Chief              OEI does not agree that it is necessary or appropriate to prescribe uniform tools\nInformation Officer prescribe standard    for managing system development projects and software changes since it is\ntools for managing system                 unclear at this time that there is one set of tools which meets the needs of all\ndevelopment projects and for managing     system development efforts in a cost-effective manner. However, OEI does\nsoftware changes, as part of the          intend to broaden the scope and usefulness of I-TIPS with particular attention to\ndevelopment of consistent definitions     linkages between I-TIPS and Agency financial data for IT cost tracking. OEI is\nof system life cycle stages to be used    also leading an effort to update EPA\xe2\x80\x99s System Life Cycle Policy. The updated\nfor IT systems and project                policy will provide appropriate consistent definitions, lay out the requirements\nmanagement. The selected tool should      that must be met when an Agency office develops a new system, provide\nbe approved by the Chief Financial        appropriate system development management methodology options, and\nOfficer as being compatible with the      encourage the use of \xe2\x80\x9cbest practice\xe2\x80\x9d project management principles and\nAgency\xe2\x80\x99s cost accounting system.          techniques. The selected \xe2\x80\x9ctools\xe2\x80\x9d will be compatible with the Agency\xe2\x80\x99s Financial\n                                          systems.\n\n\n\n                                                         62\n                                                                                           Report No. 2002-P-00017\n\x0c                                                               EPA Management of Information Technology\n                                                                   Resources Under The Clinger-Cohen Act\n\n                          Chapter 5 - EPA Needs to Strengthen IT Project Management Criteria\n          Recommendations                                                       Response\n5.4 - We recommend the Air Quality        Please see the memo from William T. Harnett to Patricia H. Hill dated 5/28/02.\nSystem Project Manager update the\nSMP for the Air Quality System project\nand obtain the signature of approval of\nthe Assistant Administrator for Air and\nRadiation at the conclusion of the\nanalysis stage and for major and\nsignificance enhancements.\n5.5 - We recommend the RCRA               Please see the memo from Marianne Lamont Horinko to Kimberly Nelson dated\nInformation Project Manager revise the    6/14/02.\nProject Management Plan for the\nRCRAInfo project to make it equivalent\nto an SMP, and update the document\nfor planned system design changes\nand enhancements. In addition, the\nrevised SMP should be formally\napproved by the Assistant\nAdministrator for Solid Waste and\nEmergency Response to authorize\nfunding for the IT investment and to\nensure a system of accountability.\n5.6 - We recommend the                    We agree with this recommendation and SDWIS/STATE has all the components\nSDWIS/STATE Project Manager               of a Systems Management Plan. However, the project has not compiled the\nestablish an SMP for the                  information into a single document for signature for the following reasons: First,\nSDWIS/STATE project and obtain the        we have not been able to identify the format the agency wishes for the SMP and\nsignature of approval from the            second, a SMP was not specifically required when the project began.\nAssistant Administrator for Water at\nthe conclusion of the analysis stage      Part of our plan for this fiscal year (may slide to early next FY) is to compile the\nand for major and significant             document and present it to management.\nenhancements.\n5.7 - We recommend the Project            OAR -- Please see the memo from William T. Harnett to Patricia H. Hill dated\nManagers for the Air Quality System,      5/28/02.\nRCRAInfo, and SDWIS/STATE link the\nSMP to the Agency Clinger-Cohen Act       OW -- When the SMP document is completed it shall be linked to all IT\nsubmission documents and the              submissions (where applicable).\nEnterprise Architecture and planning\ndocuments.                                OSWER \xe2\x80\x93 Please see the memo from Marianne Lamont Horinko to Kimberly\n                                          Nelson dated 6/14/02.\n\n\n\n\n                                                          63\n                                                                                             Report No. 2002-P-00017\n\x0c                                                                EPA Management of Information Technology\n                                                                    Resources Under The Clinger-Cohen Act\n\n                            Chapter 5 - EPA Needs to Strengthen IT Project Management Criteria\n           Recommendations                                                       Response\n5.8 - We recommend the Project              OAR -- Please see the memo from William T. Harnett to Patricia H. Hill dated\nManagers for the Air Quality System,        5/28/02.\nRCRAInfo, and SDWIS/STATE\nmanage project development efforts in       OW -- We agree that the documents that go into the SMP should be updated\naccordance with the SMP, as updated,        throughout the life-cycle of the system. We currently do this and with each new\nthroughout the life cycle of the system,    release the following documents are updated (among others): requirements,\nand retain the SMP for reference and        design, testing, and user documentation. Also, each fiscal year we produce a\nreview by the CIO or the CIO\xe2\x80\x99s              new work plan. Finally, we continuously, update and track our financial reports.\ndesignated review official.\n                                            OSWER \xe2\x80\x93 Please see the memo from Marianne Lamont Horinko to Kimberly\n                                            Nelson dated 6/14/02.\n\n\n                Chapter 6 - Project Cost Accounting System Vital for Planning & Managing IT Investments\n                Findings                                                         Response\n6.1 - Our concern is compounded by          Please restate this finding to accurately reflect efforts in the Systems Life Cycle\nthe fact that the three system life cycle   work group and the IT Cost Tracking work group. Participants from OEI and\ncategories set forth in the Policy          OCFO are on both work groups coordinating the IT Cost Tracking system\nAnnouncement are inconsistent with          guidance, which includes policy development, and the Systems Life Cycle\nthe phases described in EPA Directive       development, updating our system life cycle policy. The life cycle categories\n2100.                                       stated in the policy announcement reflect the new work that is being done to\n                                            update the systems life cycle policy.\n           Recommendations                                                       Response\n6.1 - We recommend the Chief                Please acknowledge the current ongoing efforts underway to meet this\nInformation Officer, Chief Financial        recommendation. ITPPD is currently leading an effort to update EPA\xe2\x80\x99s System\nOfficer, and Assistant Administrator        Life Cycle Policy. This effort will develop consistent definitions that can be used,\nfor Acquisition Management work             to the extent practicable, throughout the Agency\xe2\x80\x99s varied processes that relate\ntogether to develop consistent              to IT systems development. Additionally, ITPPD is supporting OCFO efforts in\ndefinitions of systems life cycle stages    developing an IT Cost Tracking system. As this system matures and focuses on\nand IT costs to be used for contracting,    capturing \xe2\x80\x9cactual\xe2\x80\x9d budget cost data more accurately, and comprehensive training\naccounting, IT systems, project             is provided to program offices, management will be able to make better decisions\nmanagement, and the capital planning        to evaluate investment priorities.\ninvestment control process.\n                                            OCFO and OARM - submitting response under separate cover.\n\n\n\n\n                                                           64\n                                                                                              Report No. 2002-P-00017\n\x0c                                                              EPA Management of Information Technology\n                                                                  Resources Under The Clinger-Cohen Act\n\n          Recommendations                                                      Response\n6.2 - We recommend the Chief              OEI \xe2\x80\x93 With the following ongoing efforts - the updated Systems Life Cycle\nInformation Officer, Chief Financial      Policy, the interim CPIC Policy (final soon to be released), architecture and the IT\nOfficer, and Assistant Administrator      Cost Tracking system - the modular contracting approach will be supported,\nfor Acquisition Management work           contractors will have better guidance on providing development costs, and\ntogether to amend all current Agency      management will be able to make better decisions on investments. Please\nsoftware development contracts, and       acknowledge these efforts in your recommendation.\nrequire that all future IT software\ndevelopment contracts be written to       OCFO and OARM - submitting response under separate cover.\nrequire a contractor to break out and\nseparately report all IT software\ndevelopment costs by the system\ndevelopment life cycle.\n6.3 - We recommend the CIO and Chief      OEI -- Please restate this recommendation to accurately reflect the current efforts\nFinancial Officer work together to        being developed between OEI and OCFO. ITPPD is currently leading an effort to\ndevelop consistent systems life cycle     update EPA\xe2\x80\x99s System Life Cycle Policy. This effort will develop consistent\nand IT costs definitions for revising     definitions that can be used, to the extent practicable, throughout the Agency\xe2\x80\x99s\nEPA Directive 2100, and the interim IT    varied processes that relate to IT systems development.\nactivities policy guidance.\n                                          OCFO \xe2\x80\x93 submitting response under separate cover.\n6.4 - We recommend Chief Financial        Submitting response under separate cover.\nOfficer lead an effort to complete a\nneeds and feasibility assessment of\nalternatives to determine what types of\nproject cost information and\nsupporting documentation are needed\nfor the capital planning investment\ncontrol process and managing IT\nprojects.\n\n\n\n\n                                                         65\n                                                                                            Report No. 2002-P-00017\n\x0c     EPA Management of Information Technology\n         Resources Under The Clinger-Cohen Act\n\n\n\n\n66\n                          Report No. 2002-P-00017\n\x0c                                                        EPA Management of Information Technology\n                                                            Resources Under The Clinger-Cohen Act\n\n\n                                      Appendix 3\n                     Office of Chief Financial Officer\xe2\x80\x99s\n                      Response to Draft Audit Report\n                                             July 19, 2002\n\nMEMORANDUM\n\nSUBJECT:           Draft Report on Management of Information Technology Resources\n                   Inspector General Audit Number 2001-0591\n\nFROM:              Joseph L. Dillon              /s/\n                   Comptroller\n\nTO:                Patricia Hill\n                   Director for Business Systems (2421)\n\n        I appreciate the opportunity to respond to your draft report titled \xe2\x80\x9cEPA\xe2\x80\x99s Management of\nInformation Technology Resources under the Clinger-Cohen Act,\xe2\x80\x9d Audit Number 2001-0591. The Office\nof the Chief Financial Officer (OCFO) fully supports your emphasis on effective management controls over\nEPA\xe2\x80\x99s information technology (IT) portfolio and, as you recommend, we are working closely with the\nOffice of Environmental Information (OEI), the Office of Administration and Resources Management\n(OARM), and others.\n\n        Chapter 6 of your draft, \xe2\x80\x9cProject Cost Accounting System Vital for Planning and Managing IT\nInvestments\xe2\x80\x9d makes four recommendations for OCFO. A discussion of recent OCFO progress in\nimplementing IT cost accounting is below. Specific responses to your draft recommendations for OCFO\nare attached.\n\n       As you note, Comptroller Policy Announcement No. 01-10, \xe2\x80\x9cNew Information Technology\nAccounting Requirements\xe2\x80\x9d (PA), has been in effect since October 1, 2001. The PA established a standard\nmethod of tracking all IT related costs in the Integrated Financial Management System (IFMS).\n\n        As the PA states, OCFO recognizes that the IT cost accounting \xe2\x80\x9cprocedures represent a new way\nof doing business in the Agency.\xe2\x80\x9d We are now evaluating results and have implemented a quality assurance\nprocess to ensure the accuracy of the cost data for both large IT systems and projects, and for smaller\nprojects and general IT activities.\n\n\n\n                                                   67\n                                                                                Report No. 2002-P-00017\n\x0c                                                          EPA Management of Information Technology\n                                                              Resources Under The Clinger-Cohen Act\n        To help familiarize staff with the new information and its uses, an IT Cost Accounting section has\nbeen added to OCFO@work at http://intranet.epa.gov/ocfo/policies/itcostacctg.htm. The section includes,\nas promised in my November 19, 2001 response to your preliminary finding outlines and position papers,\nseveral reports on FY 2002 spending for IT. OCFO plans to add instructional materials for system\nowners, funds control officers, and others to this page.\n\n        To build on this year\xe2\x80\x99s experience, OCFO staff are working closely with OEI, the contracts\ncommunity, headquarters SIRMOs, regional IRM branch chiefs, a regional comptroller, and others. For\nexample, most regions are voluntarily piloting a method that uses two characters to classify their IT\ninvestment in greater detail than required by the PA. Results of the pilot are now being evaluated, and\nproposals are on the table to require a similar level of detail agency wide. Our goal is high quality cost\naccounting without overly burdensome and time consuming requirements.\n\n        Sue Arnold 202-564-5192 can answer any questions.\n\nAttachment\n\ncc:     Linda Combs\n        Mike Ryan\n        Mark Day\n        Terry Ouverson\n        Jim Rothwell\n        John Gherardini\n        Larry Wyborski\n        Krista Mainess\n\n\n\n\n                                                     68\n                                                                                   Report No. 2002-P-00017\n\x0c                                                        EPA Management of Information Technology\n                                                            Resources Under The Clinger-Cohen Act\n                                    OCFO RESPONSES TO\n                               OIG DRAFT RECOMMENDATIONS\n\n\n\nChapter 6 of the Inspector General\xe2\x80\x99s Draft Report on Management of Information Technology Resources\noffers four recommendations for the CFO. OCFO\xe2\x80\x99s responses are below.\n\nRecommendation 6-1 - Develop consistent definitions of systems life cycle stages and IT costs to be used\nfor contracting, accounting, IT systems, project management, and the capital planning investment control\nprocess. (Joint recommendation for the CIO, CFO and Assistant Administrator, OARM)\n\n   Response - Comptroller Policy Announcement No. 01-10, \xe2\x80\x9cNew Information Technology Accounting\n   Requirements\xe2\x80\x9d (PA) includes these detailed definitions. To help ensure consistency across the Agency,\n   OCFO has been an active participant in OEI\xe2\x80\x99s workgroup to update IRM Policy Manual 2100,\n   Chapter 17 - System Life Cycle Management, since the workgroup\xe2\x80\x99s inception in November 2001.\n\nRecommendation 6-2 - Amend all current Agency software development contracts, and require that all\nfuture IT software development contracts be written to require a contractor to break out and separately\nreport all IT software development costs by the system development life cycle. (Joint recommendation for\nthe CIO, CFO and Assistant Administrator, OARM)\n\n   Response - Attachment B of the PA requires that procurement documents show the life cycle phase,\n   allowing software development costs to be easily rolled up for capitalization. Attachment A requires\n   that project officers (POs), delivery order project officers (DOPO), and contracting officer technical\n   representatives (COTRs) ensure proper IT coding on funding documents, proper allocation of IT\n   activities on invoice payments, and proper classification of projects and systems under their control.\n\nRecommendation 6-3 - Develop consistent systems life cycle and IT costs definitions for revising EPA\nDirective 2100, and the interim IT activities policy guidance. (Joint recommendation for the CIO and\nCFO)\n\n   Response - Please see response to Recommendation 6-1.\n\n\n\n\n                                                   69\n                                                                                 Report No. 2002-P-00017\n\x0c                                                       EPA Management of Information Technology\n                                                           Resources Under The Clinger-Cohen Act\nRecommendation 6-4 - Complete a needs and feasibility assessment of alternatives to determine what\ntypes of project cost information and supporting documentation are needed for the capital planning\ninvestment control process and managing IT projects.\n\n   Response - As stated above, OCFO is now implementing a structured plan to evaluate the cost\n   information now required by the PA and to make appropriate refinements. We are working closely\n   with OEI in the light of OMB\xe2\x80\x99s new CPIC requirements, as well as with OARM, headquarters\n   SIRMOs, Regional IRM Branch Chiefs, representatives from the funds control and finance\n   communities, and others.\n\n\n\n\n                                                  70\n                                                                              Report No. 2002-P-00017\n\x0c                                                                  EPA Management of Information Technology\n                                                                      Resources Under The Clinger-Cohen Act\n\n\n                                             Appendix 4\n            Office of Air Quality Planning and Standards\xe2\x80\x99\n                   Response to Draft Audit Report\n\n                                  UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       Office of Air Quality Planning and Standards\n                                            Research Triangle Park, NC 27711\n\n\n\n\n                                                     May 28 2002\n\n\nMEMORANDUM\n\nSUBJECT:          Response to April 26, 2002 request for comments on Clinger-Cohen Act\n\n\nFROM:             William T. Harnett, Director\n                  Information Transfer and Program Integration Division (MC-C304-03)\n\nTO:               Patricia H. Hill, Director for Business Systems\n                  Office of the Inspector General for Audit (MC-2421)\n\n         This memorandum responds to your April 26 request for comments on the IG\xe2\x80\x99s recently released draft report\n\xe2\x80\x9cEPA Management of Information Technology Resources under the Clinger-Cohen Act\xe2\x80\x9d. The report primarily\ndiscusses how Office of Environmental Information (OEI) and the Chief Information Officer have implemented this\nimportant legislation. The report also refers to certain Agency data systems, such as Air Quality System (AQS). In\nthis respect, the report mentions AQS in two places.\n\n         One, on page 32, is in relation to an IG recommendation that a System Modernization Plan (SMP) be prepared\nfor AQS and approved by the Assistant Administrator/Office of Air and Radiation (OAR). We generally agree with\nthis and plan to revise the SMP and submit it for concurrence.\n\n          The other reference is on page 9. In this case, we are uncertain of the scope of the issue and have copied the\nfull paragraph from the draft to illustrate our uncertainty.\n\n         \xe2\x80\x9cThe slowly evolving and decentralized approach being used to develop an IT investment control\n         structure has not been successful. EPA\xe2\x80\x99s approach allowed IT projects to be funded without proper\n         justification, and in the absence of adequate management controls. EPA invested resources on outdated\n         systems that did not maximize the efficiency or resolve long-standing problems, such as integration of\n         environmental data. For example, the Air Quality System was funded $2.5 million for fiscal 2001,\n         although planned modifications did not include adapting the system to function in conjunction with EPA\xe2\x80\x99s\n         Central Data Exchange portal\xe2\x80\x9d.\n\n\n\n                                                             71\n                                                                                              Report No. 2002-P-00017\n\x0c                                                                 EPA Management of Information Technology\n                                                                     Resources Under The Clinger-Cohen Act\n                                                            2\n\n           From the last sentence, it appears there is a concern that AQS was not a part of Central Data Exchange\n(CDX) in fiscal 01. However, given the preceding sentences, it appears there is also a concern that AQS is a project\nfunded without proper justification and without management controls. In addition, it could be interpreted there is a\nconcern that AQS is an outdated system. We do not believe the report provides an accurate characterization of AQS\nif all of these concerns are intended for AQS.\n\n\n         With respect to the comment about AQS and the CDX, the AQS Information Technology (IT) budget\nproposal submitted in FY-01 did include our intent to work with OEI on a joint CDX pilot project in FY-02. In fact,\nOEI/OAR staff were actively meeting in FY-01 to develop a work plan which was submitted to the Quality and\nInformation Council in late 2001 and approved in early 2002 (along with funding from the Agency\xe2\x80\x99s System\nModernization Fund). Work is now underway.\n\n         We also disagree with the IG comment that seems to imply that AQS is an outdated systems that does not\nmaximize the efficiency or resolve long standing problems such as integration of environmental data. The AQS is an\nOracle relational data base which is the Agency\xe2\x80\x99s recommended architecture for such applications. One benefit of\nOracle systems is their ability to be integrated with data from other Oracle data bases (such as those being developed\nthroughout the Agency). This technology is consistent with the Agency\xe2\x80\x99s approach for data integration; it is not\noutdated technology.\n\n          If the report is intended to also portray AQS as a system with a lack of proper justification and absence of\nadequate management controls, material support for this conclusion is lacking in the narrative. We are hopeful the\nfirst two sentences of the above citation were not intended to apply to AQS. If they do apply, further explanation is\nessential. In either case, some editing of the paragraph is recommended.\n\n        In summary, we believe this paragraph mischaracterizes the AQS system in many respects. I believe a\nconference call with you or your staff would be helpful.\n\n         Again, thank you for the opportunity to comment and I look forward to discussing the matter with you at\nyour earliest convenience.\n\ncc: J. Seitz, OAQPS\n    T. Curran, OAQPS\n    B. Kellam, ITPID\n    E. Lillis, ITPID\n    J. Summers, ITPID\n    I. Spons\n    R. Slade\n\n\n\n\n                                                            72\n                                                                                              Report No. 2002-P-00017\n\x0c                                                           EPA Management of Information Technology\n                                                               Resources Under The Clinger-Cohen Act\n\n                                      Appendix 5\n      Office of Solid Waste and Emergency Response\xe2\x80\x99s\n                Response to Draft Audit Report\n\n                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n                                                JUN 1 4 2002\n\n                                                                                       OFFICE\n                                                                           SOLID WASTE AND EMERGENCY\n                                                                                     RESPONSE\n\n\n\n\nMEMORANDUM\n\nSUBJECT:        OIG Draft Report "EPA\'s Management of Information Technology Resources Under the\n                Clinger-Cohen Act" Audit Number 2001-0591\n\n\n\nFROM:           Marianne Lamont Horinko\n                Assistant Administrator\n\nTO:             Kimberly Nelson\n                Chief Information Officer (2823)\n\nThe Office of Solid Waste (OSW) agrees in principle with the general spirit of the OIG report and concurs\nwith the suggested future approaches to system development and project management in EPA. However,\ncontrary to its portrayal in the draft report, we believe that RCRAInfo serves as a model for modular\nsystem development, rather than an example for how not to develop systems in our agency. The modular\napproach has enabled RCRAInfo to remain flexible to the changing needs of our constituent groups and\nallowed us to avoid some administrative pitfalls other projects have encountered. It has also eased the\nadministrative burden.\n\nThe modular approach uses the Program Area Analysis in its development of requirements for\nRCRAInfo, which is then approved by senior management before actual development occurs. This\ninevitably leads to RCRAInfo being in more than one stage of the system development life cycle. We\nmade this choice intentional to allow the system to adapt in a timely, flexible manner to changing\nprogram requirements. Before the beginning of each major project within RCRAInfo, senior\nmanagers agreed on the need, and benefit, of continuing with that specific project. Senior managers\nalso agreed on levels of funding for each project.\n\nOn page 31, the report states that, "Despite several years of effort, management was still defining\nRCRAInfo requirements\'. While some requirements are still being defined for a few RCRAInfo modules,\nthe majority of the RCRAInfo modules are well past this stage and in the development stage. OSW\nbelieves that the use of the Information Engineering model, combined with the separation of RCRAInfo\ninto distinct modules that can be independently analyzed and developed, is an appropriate methodology to\nuse for a large, complicated, and dynamic system such as RCRAInfo.\n\nAdditionally, the report implies that work on the most crucial modules was put off while earlier modules\nwere developed. The report fails to mention that EPA and its State partners deliberately approached each\nRCRAInfo module in a consensus order established by senior decision makers. To make the broad RCRA\n                                                      73\n                                                                                  Report No. 2002-P-00017\n\x0c                                                          EPA Management of Information Technology\n                                                                Resources Under The Clinger-Cohen Act\nanalysis more useful, EPA and the States decided which 5 areas were appropriate for detailed analysis and\non the order in which modules would be pursued. Staging the analysis in this manner allowed a number of\nimprovements to move forward (e.g., one recommendation from an early module led to consolidating site\ninformation across three different mechanisms into a single form) while appropriate expertise (e.g.,\ncompliance personnel) could be directed at the last two modules on a separate track. The schedule also\nreflected the availability of key/personnel to work on modules.\n\nFinally, the following comments are offered regarding recommendations made specifically for\nRCRAInfo:\n\nRecommendation 5-5: Revise the Project Management Plan for the RCRAInfo project to make it\nequivalent to a System Management Plan (SMP) and update the document for planned system\ndesign changes and enhancements. In addition, the revised System Management Plan (SMP) should\nbe formally approved by the Assistant Administrator for Solid Waste and Emergency Response to\nauthorize funding for the IT investment and to ensure a system of accountability.\n\nRecommendation 5-7: Link the SMP to the Agency Clinger-Cohen Act submission documents\nand the Enterprise Architecture and planning documents.\n\nRecommendation 5-8: Manage project development efforts in accordance with the SMP, as\nupdated, throughout the life cycle of the system, and retain the SMP for reference and review by\nthe CIO or the CIO\'s designated review official.\n\nWe feel the current development and management structure in place for RCRAInfo already meets the\nrecommended actions and that no change is needed in that structure. RCRAInfo has a System\nManagement Plan (SMP) in place, as well as a change and enhancement plan. In addition to the Capital\nPlanning and Investment Control Proposal (CPIC) process, RCRAInfo adheres to a formal approval\nprocess for the Assistant Administrator for the Office of Solid Waste and Emergency Response to\nauthorize funding for the IT investment and to ensure a system of accountability.\n\ncc:     Jeff Worthington\n        William Ocampo\n        Brion Cook\n        Linda Travers\n        Linda Garrison\n\n\n\n\n                                                    74\n                                                                                  Report No. 2002-P-00017\n\x0c                                                      EPA Management of Information Technology\n                                                          Resources Under The Clinger-Cohen Act\n\n\n                                 Appendix 6\n                               Report Distribution\n\nHeadquarters\n     Administrator\n     Deputy Administrator\n     Chief Financial Officer\n     Assistant Administrator for Air and Radiation\n     Assistant Administrator for Enforcement and Compliance Assurance\n     Assistant Administrator for Environmental Information\n     Assistant Administrator for Solid Waste and Emergency Response\n     Associate Administrator for Congressional and Intergovernmental Relations\n     Associate Administrator for Regional Operations and State/Local Relations\n     Associate Administrator for Congressional and Legislative Affairs\n     Associate Administrator for Communications, Education, and Public Affairs\n     Agency Followup Official (2710)\n     Agency Followup Coordinator (2724)\n     Headquarters Library\n\n\nOffice of Inspector General\n     Inspector General\n\n\nRegional Offices\n     Regional Administrators\n     Regional Libraries\n\n\nOther\n     General Accounting Office\n     National Academy of Public Administration\n\n\n\n\n                                                 75\n                                                                            Report No. 2002-P-00017\n\x0c'